gpg error on Focal while submitting any message and document #5499

kushaldas · 2020-09-16T12:46:46Z

Description

On Focal staging environment, if we submit any document or message, the server throws internal error.

Steps to Reproduce

molecule converge -s libvirt-staging-focal -- --tags grsecurity
Submit any message to the source interface.

Expected Behavior

the submission should happen without any error

Actual Behavior

Shows error on the source interface.

The error message in the log shows

[Thu Aug 06 13:44:25.276849 2020] [wsgi:error] [pid 21956:tid 139648340838144] ERROR:gnupg:Unable to close outstream <_io.BufferedWriter name=17>:\r\t[Errno 32] Broken pipe
[Thu Aug 06 13:44:25.278281 2020] [wsgi:error] [pid 21956:tid 139648332445440] WARNING:gnupg:FAILURE status emitted from gpg process: encrypt 9
[Thu Aug 06 13:44:25.285559 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] ERROR:flask.app:Exception on /submit [POST]
[Thu Aug 06 13:44:25.285889 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] Traceback (most recent call last):
[Thu Aug 06 13:44:25.286036 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 2292, in wsgi_app
[Thu Aug 06 13:44:25.286103 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     response = self.full_dispatch_request()
[Thu Aug 06 13:44:25.286154 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1815, in full_dispatch_request
[Thu Aug 06 13:44:25.286201 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     rv = self.handle_user_exception(e)
[Thu Aug 06 13:44:25.286250 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1718, in handle_user_exception
[Thu Aug 06 13:44:25.286297 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     reraise(exc_type, exc_value, tb)
[Thu Aug 06 13:44:25.286393 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/_compat.py", line 35, in reraise
[Thu Aug 06 13:44:25.286474 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     raise value
[Thu Aug 06 13:44:25.286548 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1813, in full_dispatch_request
[Thu Aug 06 13:44:25.286597 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     rv = self.dispatch_request()
[Thu Aug 06 13:44:25.286645 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/flask/app.py", line 1799, in dispatch_request
[Thu Aug 06 13:44:25.286697 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     return self.view_functions[rule.endpoint](**req.view_args)
[Thu Aug 06 13:44:25.287239 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/source_app/decorators.py", line 12, in decorated_function
[Thu Aug 06 13:44:25.287328 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     return f(*args, **kwargs)
[Thu Aug 06 13:44:25.287375 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/source_app/main.py", line 185, in submit
[Thu Aug 06 13:44:25.287447 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     current_app.storage.save_message_submission(
[Thu Aug 06 13:44:25.287513 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/store.py", line 362, in save_message_submission
[Thu Aug 06 13:44:25.287576 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     current_app.crypto_util.encrypt(message, self.__gpg_key, msg_loc)
[Thu Aug 06 13:44:25.287644 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]   File "/var/www/securedrop/crypto_util.py", line 326, in encrypt
[Thu Aug 06 13:44:25.287694 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676]     raise CryptoException(out.stderr)
[Thu Aug 06 13:44:25.287746 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] crypto_util.CryptoException: gpg: 65A1B5FF195B56353CC63DFFCC40EF1228271441: skipped: No public key
[Thu Aug 06 13:44:25.287795 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] [GNUPG:] INV_RECP 1 65A1B5FF195B56353CC63DFFCC40EF1228271441
[Thu Aug 06 13:44:25.287843 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] [GNUPG:] FAILURE encrypt 9
[Thu Aug 06 13:44:25.287887 2020] [wsgi:error] [pid 21956:tid 139648384747264] [remote 127.0.0.1:44676] gpg: [stdin]: encryption failed: No public key

But, the files/message are actually shows in /var/lib/securedrop/store in proper encrypted form.

Comments

Suggestions to fix, any other relevant information.

The text was updated successfully, but these errors were encountered:

kushaldas · 2020-09-30T16:06:05Z

In Focal, gpg2 tool is importing the journalist key in the pubring.kbx keyring, but when we are using it via the Python module, it uses pubring.gpg keyring.

The following diff solves the problem, question for the team, if this is a good way to move forward.

diff --git a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
index 8d0892bcb..70732a84c 100644
--- a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
+++ b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
@@ -11,6 +11,7 @@
   command: >
     su -s /bin/bash -c 'gpg
     --homedir {{ securedrop_data }}/keys
+    --no-default-keyring --keyring {{ securedrop_data }}/keys/pubring.gpg
     --import {{ securedrop_data }}/{{ securedrop_app_gpg_public_key }}' {{ securedrop_user }}
   register: gpg_app_key_import
   changed_when: "'imported: 1' in gpg_app_key_import.stderr"

`make dev-focal` will start a Focal container with SecureDrop running. Also updates the gpg2 --import command to import into the pubring.gpg keyring file explictly. Related Ansible change is tracked via #5499

kushaldas mentioned this issue Sep 16, 2020

Support for Ubuntu 20.04 (Focal) #4768

Closed

53 tasks

kushaldas mentioned this issue Sep 30, 2020

Adds dev-focal to run SecureDrop on Focal container #5544

Merged

12 tasks

rmol mentioned this issue Oct 5, 2020

Add Focal staging environment for Qubes #5556

Merged

2 tasks

zenmonkeykstop closed this as completed in #5556 Oct 16, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gpg error on Focal while submitting any message and document #5499

gpg error on Focal while submitting any message and document #5499

kushaldas commented Sep 16, 2020

kushaldas commented Sep 30, 2020