[Bug 1910432] Re: dirmngr doesn't work with kernel parameter ipv6.disable=1

Heitor Alves de Siqueira 1910432 at bugs.launchpad.net
Wed Jan 27 19:56:42 UTC 2021 

Validated for Groovy according to test case from description:
root at groovy-vm:~# dpkg -l | grep dirmngr
ii  dirmngr                        2.2.20-1ubuntu1.1                   amd64        GNU privacy guard - network certificate management service
root at groovy-vm:~# apt-key adv --fetch-keys https://www.postgreSQL.org/media/keys/ACCC4CF8.asc
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.T6PKzVoAlh/gpg.1.sh --fetch-keys https://www.postgreSQL.org/media/keys/ACCC4CF8.asc
gpg: requesting key from 'https://www.postgreSQL.org/media/keys/ACCC4CF8.asc'
gpg: key 7FCC7D46ACCC4CF8: public key "PostgreSQL Debian Repository" imported
gpg: Total number processed: 1
gpg:               imported: 1
root at groovy-vm:~# grep ipv6.disable /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.8.0-41-generic root=UUID=e45ec002-fa78-4256-b1a6-1e43d865e0d0 ro ipv6.disable=1 quiet splash console=tty1 console=ttyS0 vt.handoff=7

I also ran a simple test with v4/v6 exclusive connections as well as a dual
stack connection, to make sure we didn't introduce any major regressions:
root at groovy-vm:~# apt-key adv --fetch-keys https://ipv4.google.com
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.iPyobLuCUo/gpg.1.sh --fetch-keys https://ipv4.google.com
gpg: requesting key from 'https://ipv4.google.com'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
root at groovy-vm:~# apt-key adv --fetch-keys https://ipv6.google.com
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.XheKPph16K/gpg.1.sh --fetch-keys https://ipv6.google.com
gpg: requesting key from 'https://ipv6.google.com'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
root at groovy-vm:~# apt-key adv --fetch-keys https://www.postgreSQL.org/media/keys/ACCC4CF8.asc
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.SUZHNyCoc0/gpg.1.sh --fetch-keys https://www.postgreSQL.org/media/keys/ACCC4CF8.asc
gpg: requesting key from 'https://www.postgreSQL.org/media/keys/ACCC4CF8.asc'
gpg: key 7FCC7D46ACCC4CF8: "PostgreSQL Debian Repository" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1


** Tags removed: verification-needed-groovy
** Tags added: verification-done-groovy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1910432

Title:
  dirmngr doesn't work with kernel parameter ipv6.disable=1

Status in gnupg2 package in Ubuntu:
  Fix Released
Status in gnupg2 source package in Bionic:
  In Progress
Status in gnupg2 source package in Focal:
  Fix Committed
Status in gnupg2 source package in Groovy:
  Fix Committed
Status in gnupg2 source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  apt-key fails to fetch keys with "Address family not supported by protocol"

  [Description]
  We've had users report issues about apt-key being unable to fetch keys when IPv6 is disabled. As the mentioned kernel command line parameter disables IPV6 socket support, servers that allow/respond with IPv6 will cause connect_server() to fail with EAFNOSUPPORT.

  As this error is not being handled in some version of dirmngr, it'll
  simply fail the connection and could cause other processes to fail as
  well. In the test scenario below, it's easy to demonstrate this
  behaviour through apt-key.

  This has been reported upstream, and has been fixed with the following commit:
  - dirmngr: Handle EAFNOSUPPORT at connect_server. (109d16e8f644)

  The fix has been present upstream starting with GnuPG 2.22, so it's
  not currently available in any Ubuntu releases.

  [Test Case]
  1. Spin up Focal VM

  2. Disable IPv6:
  $ sudo vi /etc/default/grub
  (...)
  GRUB_CMDLINE_LINUX="ipv6.disable=1"
  $ sudo update-grub

  3. Reboot the VM

  4. Try to fetch a key:
  sudo apt-key adv --fetch-keys https://www.postgreSQL.org/media/keys/ACCC4CF8.asc

  You'll get the following error:
  gpg: WARNING: unable to fetch URI https://www.postgresql.org/media/keys/ACCC4CF8.asc: Address family not supported by protocol

  [Regression Potential]
  The patch introduces additional error handling when connecting to servers, to properly mark remote hosts as having valid IPv4 and/or IPv6 connectivity. We should look out for potential regressions when connecting to servers with exclusive IPv4 or IPv6 connectivity, to make sure the server is not getting marked as 'dead' due to missing one of the versions.
  This commit has also been tested in the corresponding Ubuntu series, and has been deemed safe for backporting to stable branches of upstream GnuPG. The overall regression potential for this change should be fairly low, and breakage should be easily spotted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1910432/+subscriptions

More information about the foundations-bugs mailing list