From patchwork Wed Aug 17 12:46:13 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Tunnicliffe X-Patchwork-Id: 3483 Return-Path: X-Original-To: patchwork@peony.canonical.com Delivered-To: patchwork@peony.canonical.com Received: from fiordland.canonical.com (fiordland.canonical.com [91.189.94.145]) by peony.canonical.com (Postfix) with ESMTP id 8032923F46 for ; Wed, 17 Aug 2011 12:46:16 +0000 (UTC) Received: from mail-ew0-f52.google.com (mail-ew0-f52.google.com [209.85.215.52]) by fiordland.canonical.com (Postfix) with ESMTP id 500C4A18237 for ; Wed, 17 Aug 2011 12:46:15 +0000 (UTC) Received: by ewy28 with SMTP id 28so486590ewy.11 for ; Wed, 17 Aug 2011 05:46:15 -0700 (PDT) Received: by 10.213.32.131 with SMTP id c3mr1220415ebd.94.1313585174926; Wed, 17 Aug 2011 05:46:14 -0700 (PDT) X-Forwarded-To: linaro-patchwork@canonical.com X-Forwarded-For: patch@linaro.org linaro-patchwork@canonical.com Delivered-To: patches@linaro.org Received: by 10.213.102.5 with SMTP id e5cs15870ebo; Wed, 17 Aug 2011 05:46:14 -0700 (PDT) Received: from mr.google.com ([10.213.29.76]) by 10.213.29.76 with SMTP id p12mr90519ebc.74.1313585174403 (num_hops = 1); Wed, 17 Aug 2011 05:46:14 -0700 (PDT) Received: by 10.213.29.76 with SMTP id p12mr67322ebc.74.1313585174202; Wed, 17 Aug 2011 05:46:14 -0700 (PDT) Received: from indium.canonical.com (indium.canonical.com [91.189.90.7]) by mx.google.com with ESMTPS id y7si2846067weq.112.2011.08.17.05.46.14 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 17 Aug 2011 05:46:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) client-ip=91.189.90.7; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) smtp.mail=bounces@canonical.com Received: from ackee.canonical.com ([91.189.89.26]) by indium.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QtfVd-0004a4-Lc for ; Wed, 17 Aug 2011 12:46:13 +0000 Received: from ackee.canonical.com (localhost [127.0.0.1]) by ackee.canonical.com (Postfix) with ESMTP id 9C546E043E for ; Wed, 17 Aug 2011 12:46:13 +0000 (UTC) MIME-Version: 1.0 X-Launchpad-Project: linaro-image-tools X-Launchpad-Branch: ~linaro-image-tools/linaro-image-tools/trunk X-Launchpad-Message-Rationale: Subscriber X-Launchpad-Branch-Revision-Number: 407 X-Launchpad-Notification-Type: branch-revision To: Linaro Patch Tracker From: noreply@launchpad.net Subject: [Branch ~linaro-image-tools/linaro-image-tools/trunk] Rev 407: Improved the error handling around how linaro-fetch-image interacts with GPG. Message-Id: <20110817124613.26983.10039.launchpad@ackee.canonical.com> Date: Wed, 17 Aug 2011 12:46:13 -0000 Reply-To: noreply@launchpad.net Sender: bounces@canonical.com Errors-To: bounces@canonical.com Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="13697"; Instance="initZopeless config overlay" X-Launchpad-Hash: 87da0e6f5af0e423e01e1feaedc945da890f2f40 Merge authors: James Tunnicliffe (dooferlad) Related merge proposals: https://code.launchpad.net/~dooferlad/linaro-image-tools/fetch_image_improve_gpg_error_handling/+merge/71584 proposed by: James Tunnicliffe (dooferlad) review: Approve - James Westby (james-w) ------------------------------------------------------------ revno: 407 [merge] committer: James Tunnicliffe branch nick: linaro-image-tools timestamp: Wed 2011-08-17 13:43:50 +0100 message: Improved the error handling around how linaro-fetch-image interacts with GPG. modified: linaro_image_tools/fetch_image.py linaro_image_tools/tests/test_utils.py linaro_image_tools/utils.py --- lp:linaro-image-tools https://code.launchpad.net/~linaro-image-tools/linaro-image-tools/trunk You are subscribed to branch lp:linaro-image-tools. To unsubscribe from this branch go to https://code.launchpad.net/~linaro-image-tools/linaro-image-tools/trunk/+edit-subscription === modified file 'linaro_image_tools/fetch_image.py' --- linaro_image_tools/fetch_image.py 2011-07-28 13:37:20 +0000 +++ linaro_image_tools/fetch_image.py 2011-08-15 16:57:07 +0000 @@ -387,8 +387,8 @@ def _check_downloads(self): self.get_sig_files() - self.verified_files, self.gpg_sig_ok = utils.verify_file_integrity( - self.sig_files) + (self.verified_files, self.gpg_sig_ok, + self.gpg_out) = utils.verify_file_integrity(self.sig_files) # Expect to have 2 sha1sum files (one for hwpack, one for OS bin) self.have_sha1sums = len(self.sha1_files) ==2 @@ -442,22 +442,42 @@ # matches the sha1sums we will re-download any failing hwpack # and OS binary files in the if below. - self._download_sigs_gen_download_list(force_download=True) - self._check_downloads() - - if(self.have_sha1sums and self.have_gpg_sigs - and not self.gpg_sig_ok): - # If after re-trying the downloads we still can't get a GPG - # signature match on a sha1sum file (and both files exist) - # the abort. - message = "Package signature check failed. Aborting" + no_pubkey_search = re.search("\[GNUPG:\] NO_PUBKEY (\S+)", + self.gpg_out) + if no_pubkey_search: + message = ("Package signature check failed.\n" + "To check package signatures, please import " + "key {0}") + # The GPG output we are using gives us the long key format, + # which doesn't match anything in the key management app + # that ships with Ubuntu Desktop. The last 8 digits though + # are the short key, which are what we normally deal with. + # That is, this seems to be the case. I haven't found any + # answers after searching around about the long keyID format, + # but this works for keys I have tested with... + message = message.format(no_pubkey_search.group(1)[-8:]) if self.event_queue: - self.event_queue.put("message", message) - self.event_queue.put("abort") + self.event_queue.put(("message", message)) else: print >> sys.stderr, message - return [], False + else: + self._download_sigs_gen_download_list(force_download=True) + self._check_downloads() + + if(self.have_sha1sums and self.have_gpg_sigs + and not self.gpg_sig_ok): + # If after re-trying the downloads we still can't get a GPG + # signature match on a sha1sum file (and both files exist) + # tell the user. + message = "Package signature check failed" + if self.event_queue: + self.event_queue.put(("message", message)) + self.event_queue.put("abort") + else: + print >> sys.stderr, message + + return [], False if(self.have_sha1sums and self.gpg_sig_ok or not self.have_gpg_sigs): @@ -479,8 +499,8 @@ self.event_queue, force_download=True) - (self.verified_files, - self.gpg_sig_ok) = utils.verify_file_integrity(self.sig_files) + (self.verified_files, self.gpg_sig_ok, + self.gpg_out) = utils.verify_file_integrity(self.sig_files) to_retry = self._unverified_files() @@ -490,7 +510,7 @@ # corrupt. Display a message to the user and quit. message = "Download retry failed. Aborting" if self.event_queue: - self.event_queue.put("message", message) + self.event_queue.put(("message", message)) self.event_queue.put("abort") else: print >> sys.stderr, message @@ -500,9 +520,6 @@ hwpack = os.path.basename(self.downloaded_files[hwpack_url]) hwpack_verified = (hwpack in self.verified_files) and self.gpg_sig_ok - if self.event_queue: # Clear messages, if any, from GUI - self.event_queue.put(("message", "")) - return self.downloaded_files, hwpack_verified === modified file 'linaro_image_tools/tests/test_utils.py' --- linaro_image_tools/tests/test_utils.py 2011-07-21 17:41:19 +0000 +++ linaro_image_tools/tests/test_utils.py 2011-08-15 11:09:36 +0000 @@ -107,7 +107,7 @@ self.MockCmdRunnerPopen())) hash_filename = "dummy-file.txt" signature_filename = hash_filename + ".asc" - verified_files, _ = verify_file_integrity([signature_filename]) + verified_files, _, _ = verify_file_integrity([signature_filename]) self.assertEqual(self.filenames_in_shafile, verified_files) def test_check_file_integrity_and_print_errors(self): === modified file 'linaro_image_tools/utils.py' --- linaro_image_tools/utils.py 2011-07-21 17:41:19 +0000 +++ linaro_image_tools/utils.py 2011-08-15 16:57:07 +0000 @@ -22,6 +22,7 @@ import subprocess import re import logging +import tempfile try: from CommandNotFound import CommandNotFound @@ -43,21 +44,27 @@ """ gpg_sig_ok = True + gpg_out = "" verified_files = [] for sig_file in sig_file_list: hash_file = sig_file[0:-len('.asc')] + tmp = tempfile.NamedTemporaryFile() try: - cmd_runner.run(['gpg', '--verify', sig_file]).wait() + cmd_runner.run(['gpg', '--status-file={0}'.format(tmp.name), + '--verify', sig_file]).wait() except cmd_runner.SubcommandNonZeroReturnValue: gpg_sig_ok = False + gpg_out = gpg_out + tmp.read() + + tmp.close() if os.path.dirname(hash_file) == '': sha_cwd = None else: sha_cwd = os.path.dirname(hash_file) - + try: sha1sums_out, _ = cmd_runner.Popen( ['sha1sum', '-c', hash_file], @@ -73,14 +80,14 @@ if sha1_check: verified_files.append(sha1_check.group(1)) - return verified_files, gpg_sig_ok + return verified_files, gpg_sig_ok, gpg_out def check_file_integrity_and_log_errors(sig_file_list, binary, hwpacks): """ Wrapper around verify_file_integrity that prints error messages to stderr if verify_file_integrity finds any problems. """ - verified_files, gpg_sig_pass = verify_file_integrity(sig_file_list) + verified_files, gpg_sig_pass, _ = verify_file_integrity(sig_file_list) # Check the outputs from verify_file_integrity # Abort if anything fails.