Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qvm-template fails silently with repo_gpgcheck=1 #7414

Open
3hhh opened this issue Apr 3, 2022 · 16 comments · Fixed by QubesOS/qubes-core-agent-linux#451
Open

qvm-template fails silently with repo_gpgcheck=1 #7414

3hhh opened this issue Apr 3, 2022 · 16 comments · Fixed by QubesOS/qubes-core-agent-linux#451
Labels
affects-4.1 This issue affects Qubes OS 4.1. affects-4.2 This issue affects Qubes OS 4.2. C: core C: templates diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@3hhh
Copy link

3hhh commented Apr 3, 2022
edited
Loading

How to file a helpful issue

Qubes OS release

4.1

Brief summary

Enforcing signed metadata for the template repo causes `qvm-template' to not find any templates anymore.

Steps to reproduce

  1. Set repo_gpgcheck=1 in /etc/qubes/repo-templates/qubes-templates.repo.
  2. Run qvm-template list --available.

Expected behavior

Error on the signature check failing or ideally list of templates available to install.

Actual behavior

Error: "No templates available".
@3hhh 3hhh added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Apr 3, 2022
@DemiMarie DemiMarie self-assigned this Apr 3, 2022
@DemiMarie
Copy link

Thanks for the report. This is certainly wrong.

I believe what is happening is that the check for signed repository metadata in dom0 fails. This is expected behavior, since dom0 metadata is generated within dom0 and so cannot be signed. That said, the error message is unacceptably poor. Will fix.

@marmarek
Copy link
Member

marmarek commented Apr 3, 2022

I believe what is happening is that the check for signed repository metadata in dom0 fails.

I don't think so. qvm-template does nothing related to repository metadata in dom0 - at dom0 side dnf is not involved at all.

@3hhh what template your updatevm uses? Is it maybe some older Debian?

@3hhh
Copy link
Author

3hhh commented Apr 3, 2022 via email

@andrewdavidwong andrewdavidwong added C: templates needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Apr 4, 2022
@andrewdavidwong andrewdavidwong added this to the Release 4.1 updates milestone Apr 4, 2022
@Nurmagoz
Copy link

Nurmagoz commented Apr 4, 2022

I can confirm this (using fedora-34 for updateVM)

[user@dom0 ~]$ sudo nano /etc/qubes/repo-templates/qubes-templates.repo 
[user@dom0 ~]$ sudo qubes-dom0-update --show-output --console
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
warning: Converting database from bdb_ro to sqlite backend
Fedora 32 - x86_64                               13 kB/s | 6.0 kB     00:00    
Fedora 32 - x86_64 - Updates                    7.7 kB/s | 5.9 kB     00:00    
Qubes Dom0 Repository (updates)                 6.9 kB/s | 2.7 kB     00:00    
Qubes Dom0 Repository (security-testing)        6.9 kB/s | 2.9 kB     00:00    
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded
Qubes OS Repository for Dom0                                                         2.9 MB/s | 3.0 kB     00:00    
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-34
Redirecting to 'qvm-template install  fedora-34'
usage: qvm-template [--verbose] [--quiet] [--help] [--repo-files REPO_FILES] [--keyring KEYRING]
                    [--updatevm UPDATEVM] [--enablerepo REPOID] [--disablerepo REPOID] [--repoid REPOS]
                    [--releasever RELEASEVER] [--refresh] [--cachedir CACHEDIR] [--keep-cache] [--yes]
                    {install,reinstall,downgrade,upgrade,download,list,info,search,remove,purge,clean,repolist} ...
qvm-template: error: Template 'fedora-34' not found.
[user@dom0 ~]$ sudo nano /etc/qubes/repo-templates/qubes-templates.repo 
[user@dom0 ~]$ sudo qubes-dom0-update --show-output --console
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
warning: Converting database from bdb_ro to sqlite backend
Fedora 32 - x86_64                               14 kB/s | 6.0 kB     00:00    
Fedora 32 - x86_64 - Updates                    7.8 kB/s | 5.9 kB     00:00    
Qubes Dom0 Repository (updates)                 7.0 kB/s | 2.7 kB     00:00    
Qubes Dom0 Repository (security-testing)        6.8 kB/s | 2.9 kB     00:00    
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded
Qubes OS Repository for Dom0                                                         2.9 MB/s | 3.0 kB     00:00    
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-34
Redirecting to 'qvm-template install  fedora-34'
Template 'fedora-34' already installed, skipping... (You may want to use the {reinstall,upgrade,downgrade} operations.)
[user@dom0 ~]$

Different is:

With

[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-34
Redirecting to 'qvm-template install  fedora-34'
usage: qvm-template [--verbose] [--quiet] [--help] [--repo-files REPO_FILES] [--keyring KEYRING]
                    [--updatevm UPDATEVM] [--enablerepo REPOID] [--disablerepo REPOID] [--repoid REPOS]
                    [--releasever RELEASEVER] [--refresh] [--cachedir CACHEDIR] [--keep-cache] [--yes]
                    {install,reinstall,downgrade,upgrade,download,list,info,search,remove,purge,clean,repolist} ...
qvm-template: error: Template 'fedora-34' not found.

Without

[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-34
Redirecting to 'qvm-template install  fedora-34'
Template 'fedora-34' already installed, skipping... (You may want to use the {reinstall,upgrade,downgrade} operations.)

@adrelanos adrelanos mentioned this issue Jun 13, 2022
Closed
@marmarek
Copy link
Member

Is it still the case? We don't have repo_gpgcheck in template repositories, so the problem doesn't apply by default. If it can be made working, great. Otherwise, maybe we should add a clear failure like "repo_gpgcheck=1 is not supported for template repositories" (if such setting is detected).

@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 26, 2023
@DemiMarie
Copy link

@marmarek what would it take to sign the template metadata?

@marmarek
Copy link
Member

@marmarek what would it take to sign the template metadata?

The metadata is signed. The issue is IIUC about its verification in the updatevm, if you opt in for it.

@3hhh
Copy link
Author

3hhh commented May 27, 2023

Is it still the case?

Yes.

We don't have repo_gpgcheck in template repositories, so the problem doesn't apply by default. If it can be made working, great. Otherwise, maybe we should add a clear failure like "repo_gpgcheck=1 is not supported for template repositories" (if such setting is detected).

I think I had looked into this setting as part of QSB 67, which it might have prevented.

It's also weird that qubes-dom0-update works with that setting, but qvm-template doesn't. IMO that's a regression from times where qubes-dom0-update was also used to install templates.

@andrewdavidwong andrewdavidwong added the affects-4.1 This issue affects Qubes OS 4.1. label Aug 8, 2023
@andrewdavidwong andrewdavidwong removed this from the Release 4.1 updates milestone Aug 13, 2023
@DemiMarie
Copy link

Culprit is a missing package dependency: the needed to verify the metadata are provided by the qubes-repo-templates package, but qubes-core-agent-dom0-updates doesn’t depend on that package, so neither whonix-workstation-17 nor debian-12 has it installed. The qubes-repo-templates package is tiny (less than 20KiB) so having qubes-core-agent-dom0-updates depend on it is the simplest fix.

@DemiMarie DemiMarie mentioned this issue Aug 17, 2023
Merged
@marmarek
Copy link
Member

Isn't that layering violation? qvm-template tool sends repository definitions to the updatevm, so having it also requiring repo definitions being installed in updatevm sounds weird. I guess the missing part are keys, right? Can they be inlined into repo definition file?

@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label Aug 17, 2023
@DemiMarie
Copy link

I don’t think so @marmarek.

@marmarek
Copy link
Member

Can we then invent some (like, put the key in a specially marked comment, that updatevm-side script will extract)?
Installing them in a VM is not a big deal for official repos, but it's going to be problematic when using 3rd-party repos.

@DemiMarie
Copy link

Can we then invent some (like, put the key in a specially marked comment, that updatevm-side script will extract)? Installing them in a VM is not a big deal for official repos, but it's going to be problematic when using 3rd-party repos.

Let’s get the official repos fixed first. That’s a much simpler fix and so less likely to cause any regressions. A general fix will be more complex, so it will take longer and be more likely to cause regressions.

@marmarek marmarek reopened this Sep 10, 2023
@andrewdavidwong andrewdavidwong added this to the Release 4.2 milestone Sep 10, 2023
Closed
@marmarek marmarek removed this from the Release 4.2 milestone Oct 6, 2023
marmarek pushed a commit to QubesOS/qubes-core-agent-linux that referenced this issue Oct 8, 2023
@DemiMarie @marmarek
Fix qubes.TemplateSearch with repo_gpgcheck=1
029be8f 
qubes-core-agent-dom0-updates was missing a dependency on
qubes-repo-templates, so the OpenPGP keys needed with repo_gpgcheck=1
weren't available to DNF.  Also add -y to the DNF command line so that
it imports these keys without a prompt.

Fixes: QubesOS/qubes-issues#7414
(cherry picked from commit 81454a9)
Closed
@DemiMarie DemiMarie removed their assignment Mar 6, 2024
@andrewdavidwong andrewdavidwong added the eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) label Dec 7, 2024
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 7, 2024
@Nurmagoz
Copy link

Nurmagoz commented Dec 7, 2024

Let’s get the official repos fixed first. That’s a much simpler fix and so less likely to cause any regressions. A general fix will be more complex, so it will take longer and be more likely to cause regressions.

Fixed or not yet?

@DemiMarie
Copy link

Currently only fixed for the official repos.

@DemiMarie DemiMarie reopened this Dec 8, 2024
@andrewdavidwong andrewdavidwong added affects-4.2 This issue affects Qubes OS 4.2. and removed eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) labels Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.1 This issue affects Qubes OS 4.1. affects-4.2 This issue affects Qubes OS 4.2. C: core C: templates diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix qubes.TemplateSearch with repo_gpgcheck=1 DemiMarie/qubes-core-agent-linux
5 participants
@marmarek @DemiMarie @andrewdavidwong @Nurmagoz @3hhh