Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg error on Focal while submitting any message and document #5499

Closed
3 tasks
kushaldas opened this issue Sep 16, 2020 · 1 comment · Fixed by #5556
Closed
3 tasks

gpg error on Focal while submitting any message and document #5499

kushaldas opened this issue Sep 16, 2020 · 1 comment · Fixed by #5556

Comments

@kushaldas
Copy link
Contributor

Description

On Focal staging environment, if we submit any document or message, the server throws internal error.

Steps to Reproduce

  • molecule converge -s libvirt-staging-focal -- --tags grsecurity
  • Submit any message to the source interface.

Expected Behavior

  • the submission should happen without any error

Actual Behavior

Shows error on the source interface.

The error message in the log shows

[Thu Aug 06 13:44:25.276849 2020] [wsgi:error] [pid 21956:tid 139648340838144] ERROR:gnupg:Unable to close outstream <_io.BufferedWriter name=17>:\r\t[Errno 32] Broken pipe
[Thu Aug 06 13:44:25.278281 2020] [wsgi:error] [pid 21956:tid 139648332445440] WARNING:gnupg:FAILURE status emitted from gpg process: encrypt 9
[Thu Aug 06 13:44:25.285559 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] ERROR:flask.app:Exception on /submit [POST]
[Thu Aug 06 13:44:25.285889 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] Traceback (most recent call last):
[Thu Aug 06 13:44:25.286036 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 2292, in wsgi_app
[Thu Aug 06 13:44:25.286103 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     response = self.full_dispatch_request()
[Thu Aug 06 13:44:25.286154 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1815, in full_dispatch_request
[Thu Aug 06 13:44:25.286201 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     rv = self.handle_user_exception(e)
[Thu Aug 06 13:44:25.286250 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1718, in handle_user_exception
[Thu Aug 06 13:44:25.286297 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     reraise(exc_type, exc_value, tb)
[Thu Aug 06 13:44:25.286393 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/_compat.py", line 35, in reraise
[Thu Aug 06 13:44:25.286474 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     raise value
[Thu Aug 06 13:44:25.286548 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1813, in full_dispatch_request
[Thu Aug 06 13:44:25.286597 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     rv = self.dispatch_request()
[Thu Aug 06 13:44:25.286645 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1799, in dispatch_request
[Thu Aug 06 13:44:25.286697 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     return self.view_functions[rule.endpoint](**req.view_args)
[Thu Aug 06 13:44:25.287239 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/source_app/decorators.py", line 12, in decorated_function
[Thu Aug 06 13:44:25.287328 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     return f(*args, **kwargs)
[Thu Aug 06 13:44:25.287375 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/source_app/main.py", line 185, in submit
[Thu Aug 06 13:44:25.287447 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     current_app.storage.save_message_submission(
[Thu Aug 06 13:44:25.287513 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/store.py", line 362, in save_message_submission
[Thu Aug 06 13:44:25.287576 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     current_app.crypto_util.encrypt(message, self.__gpg_key, msg_loc)
[Thu Aug 06 13:44:25.287644 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/crypto_util.py", line 326, in encrypt
[Thu Aug 06 13:44:25.287694 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     raise CryptoException(out.stderr)
[Thu Aug 06 13:44:25.287746 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] crypto_util.CryptoException: gpg: 65A1B5FF195B56353CC63DFFCC40EF1228271441: skipped: No public key
[Thu Aug 06 13:44:25.287795 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] [GNUPG:] INV_RECP 1 65A1B5FF195B56353CC63DFFCC40EF1228271441
[Thu Aug 06 13:44:25.287843 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] [GNUPG:] FAILURE encrypt 9
[Thu Aug 06 13:44:25.287887 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] gpg: [stdin]: encryption failed: No public key

But, the files/message are actually shows in /var/lib/securedrop/store in proper encrypted form.

Comments

Suggestions to fix, any other relevant information.

@kushaldas
Copy link
Contributor Author

In Focal, gpg2 tool is importing the journalist key in the pubring.kbx keyring, but when we are using it via the Python module, it uses pubring.gpg keyring.

The following diff solves the problem, question for the team, if this is a good way to move forward.

diff --git a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
index 8d0892bcb..70732a84c 100644
--- a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
+++ b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
@@ -11,6 +11,7 @@
   command: >
     su -s /bin/bash -c 'gpg
     --homedir {{ securedrop_data }}/keys
+    --no-default-keyring --keyring {{ securedrop_data }}/keys/pubring.gpg
     --import {{ securedrop_data }}/{{ securedrop_app_gpg_public_key }}' {{ securedrop_user }}
   register: gpg_app_key_import
   changed_when: "'imported: 1' in gpg_app_key_import.stderr"

kushaldas added a commit that referenced this issue Sep 30, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Oct 6, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Oct 7, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Oct 8, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Oct 21, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Oct 29, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
kushaldas added a commit that referenced this issue Nov 4, 2020
`make dev-focal` will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant