[Pkg-utopia-maintainers] Bug#1098951: ostree: FTBFS against gpg 2.4.7-5: FAIL: tests/test-gpg-verify-result
Simon McVittie
smcv at debian.org
Wed Feb 26 19:47:51 GMT 2025
Control: forwarded -1 https://github.com/ostreedev/ostree/issues/3386
Control: tags -1 + upstream help
On Wed, 26 Feb 2025 at 15:44:37 +0100, Andreas Metzler wrote:
> ostree throws a testsuite error against gpg 2.4.7-5:
>
> FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key - OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: 'key_expired' should be TRUE
I've sent more analysis to upstream issue report
https://github.com/ostreedev/ostree/issues/3386. The tl;dr version is that
libostree is testing its own ability to verify GPG signatures by inspecting
commits that were signed by keys that are intentionally bad in various ways
(expired, revoked, etc.), and asserting that it sees the expected error
code/message from libgpgme.
With the new gnupg2, in several situations it seems that it reports a
missing key (GPGME_SIGSUM_KEY_MISSING, OSTREE_GPG_ERROR_MISSING_KEY,
"Can't check signature: public key not found") instead of the more specific
error code that was previously seen.
> Ostree's autopkgtest throws more errors, which I do not see on a local
> rebuild in sid chroot.
I think this is probably just because the build-time tests are failing
as soon as a failure has been recorded, whereas the autopkgtest runs all
test-cases even if one of them already failed; so you might be seeing
failures in the autopkgtest for things that the build-time test never
got as far as even attempting.
The other failures in the autopkgtest seem to be:
> 264s File 'err.txt' doesn't match regexp 'Key expired'
> 325s File 'test2-show' matches regexp 'public key not found'
which seem like the same class of failure: libostree's command-line
interface is not outputting "Key expired" when it was expected to, and
it is outputting "public key not found" when it was not expected to.
That seems consistent with gpg reporting "public key not found" more
often.
I would appreciate it if someone who knows GPG better than I do could help
upstream to understand whether this is a gpg regression, or libostree or
its test suite using gpg wrong in a way that was not previously diagnosed,
or something else.
smcv
More information about the Pkg-utopia-maintainers
mailing list