Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use --batch option for refreshing release key to resolve graphical updater issues #4233

Merged
merged 2 commits into from
Mar 14, 2019
Merged

Use --batch option for refreshing release key to resolve graphical updater issues #4233

merged 2 commits into from
Mar 14, 2019

Conversation

KwadroNaut
Copy link
Contributor

@KwadroNaut KwadroNaut commented Mar 6, 2019
edited
Loading

Status

Ready for review

Description of Changes

Fixes #4100

Changes proposed in this pull request:

By using --batch for refreshing the release key, there's no tty, and the described error will not happen and you can update the key and workstation without manual intervention.

Testing

It's imperative to launch the gui-updater not from a terminal, since this is a known work-around. I've tested with a 0.11 workstation, tried to update with an up-to-date Tails by using the gui.

Deployment

Should improve updates and upgrades. Not aware of any effects to fresh installs.

Checklist

If you made changes to the server application code:

  • Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

I find the setup process burden a bit too high for a random passer-by, I don't have a admin development container, sorry.

Trivial code change:

I looked at admin/tests/ but it looks like they're all launched with a TTY available.

@eloquence eloquence changed the title resolves #4100 Use --batch option for refreshing release key to resolve graphical updater issues Mar 6, 2019
kushaldas
kushaldas previously approved these changes Mar 7, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worked as expected. Approved. Thank you.

@zenmonkeykstop
Copy link
Contributor

Confirmed, tested by checking out branch on Admin Workstation and bouncing the network connection. Updater appears and update to latest release completes as expected.

@kushaldas
Copy link
Contributor

I will merge this after chatting with @zenmonkeykstop once in the evening.

redshiftzero
redshiftzero reviewed Mar 8, 2019
View reviewed changes
admin/securedrop_admin/__init__.py Outdated
@@ -642,7 +642,7 @@ def check_for_updates(args):


def get_release_key_from_keyserver(args, keyserver=None, timeout=45):
gpg_recv = ['timeout', str(timeout), 'gpg', '--recv-key']
gpg_recv = ['timeout', str(timeout), 'gpg', '--batch', '--recv-key']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should add --no-tty also to be on the safe side (so that gpg doesn't try to write output to the tty, which doesn't exist). From the gpg docs:

--no-tty
     Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because 
     GnuPG sometimes prints warnings to the TTY if if --batch is used.

cc @kushaldas @zenmonkeykstop

Copy link
Contributor Author

@KwadroNaut KwadroNaut Mar 9, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks once again to catch the specialties and tame GnuPG. Updated per your suggestion. However I pushed that change, and then ran into a broken test.
In admin/tests/test_integration.py test_update_fails_when_no_signature_present checks the cli contained output like "Signature verification failed" not sure on the best way forward, feel free to edit my changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KwadroNaut I think the test failure was due to keyserver flakiness. I've had the test suite pass several times. The only consistent problem is a linting problem; flake8 wants the second line of arguments to start after the opening bracket of the list: securedrop_admin/__init__.py:646:13: E128 continuation line under-indented for visual indent. If you have time to slide that over and push again, great, otherwise a maintainer will just do it later in the week. Thanks again!

@KwadroNaut KwadroNaut force-pushed the recv branch 2 times, most recently from 5042837 to 95ac980 Compare March 9, 2019 17:26
@kushaldas
Copy link
Contributor

kushaldas commented Mar 12, 2019
edited
Loading 

INFO: Verifying signature on latest update...
gpg: key 0x310F561200F4AD77: "SecureDrop Release Signing Key" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
INFO: Signature verification successful.
Note: checking out '0.12.0'.

I guess we are ready to merge it. @redshiftzero any thoughts?

kushaldas
kushaldas suggested changes Mar 12, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KwadroNaut The tests are failing.

@conorsch
Copy link
Contributor

Tacked on a commit to fix the linting error that @kushaldas flagged. Assuming CI passes, please re-review, @kushaldas!

@KwadroNaut
Copy link
Contributor Author

Thanks @conorsch !

@conorsch
Copy link
Contributor

CI error in https://circleci.com/gh/freedomofpress/securedrop/24326 indicates that a rebase is required, will push one up shortly. We're aiming to include this change in 0.12.1.

kwadronaut and others added 2 commits March 13, 2019 10:09
Resolves freedomofpress#4100
6143a17 
you don't have an interactive prompt in the gui-updater, so you
shouldn't use a tty and --batch or --no-tty is meant for such tings.

--no-tty
     Make sure that the TTY (terminal) is never used for any output.
This option is needed in some cases because
     GnuPG sometimes prints warnings to the TTY if if --batch is used.

--batch
Use batch mode.  Never ask, do not allow interactive commands.

The test, which uses a subshell, is looking for errors on the cli, this
should be changed.
Feed flake8 on securedrop-admin keyserver cmd
1a3e22b 
The commit from @KwadroNaut added a few options, and flake8 was
characteristically opinionated about whitespace surrounding the change.
Updated the whitespace, without changes to the logic as written by
@KwadroNaut.
@conorsch
Copy link
Contributor

Rebased on top of 10a2eee (latest develop).

kushaldas
kushaldas approved these changes Mar 14, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All tests are passing. Approved 👍

@kushaldas kushaldas merged commit 7d58693 into freedomofpress:develop Mar 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmol rmol rmol left review comments

@redshiftzero redshiftzero redshiftzero left review comments

@kushaldas kushaldas kushaldas approved these changes

@emkll emkll Awaiting requested review from emkll

@heartsucker heartsucker Awaiting requested review from heartsucker

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@KwadroNaut @zenmonkeykstop @kushaldas @conorsch @redshiftzero @rmol