Mandos-client failing when run inside initramfs of Ubuntu 24.04

Tue Oct 22 13:21:57 CEST 2024

On 9/9/24 03:58, Teddy Hogeborn wrote:
> Joe Rhodes <joe at joerhodes.com> writes:
> 
>>> Iv’e been using Mandos server/client for a while now with Ubuntu
>>> 22.04.  Recently, I’ve attempted to use it under Ubuntu 24.04 and
>>> the client is failing.  The critical log messages (when using
>>> —debug) are:
>>>
> […]
>>> Mandos plugin mandos-client: Trying to decrypt OpenPGP data
>>> Mandos plugin mandos-client: bad gpgme_op_decrypt: GnuPG: No secret key
> […]
>>> Any help would be greatly appreciated!
>>
>> So answering my own question:
>>
>> The issue is that the gpg-agent and gpgconfig binaries are not being
>> included in the initramfs under ubuntu 24.04.  That stems from the
>> fact that the libgpgme11 library has been renamed in 24.04 to
>> libgpgme11t64.  Because of that, the initramfs hook
>> /usr/share/initramfs-tools/hooks/mandos doesn’t work correctly.
>> Specifically, like 183 of that script:
>>
>> libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11`”
>>
>> That line returns an empty string under Ubuntu 24.04 but works
>> correctly under 22.04.  It then doesn’t match the logic conditions
>> later on, and the gig utilities do not get included.  A simple fix
>> that allows it to work on both Ubuntu 22.04 and 24.04 would be to just
>> add an asterisk at the end of that line:
>>
>> libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11*`”
>>
>> This is the work around I’ll use for now.  Not sure if it would be
>> possible to get either this fix or something more sophisticated
>> included in a new version?
> 
> Thanks for the analysis!  Fixed in trunk.  By the way, this was
> independently reported to Ubuntu as Launchpad bug #2068014:
> <https://bugs.launchpad.net/ubuntu/+source/mandos/+bug/2068014>
> 
> /Teddy Hogeborn
> 
> 
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev

Hi!

I'm having a similar problem in Debian trixie, running mandos-client 
1.8.17. This is returning an empty line:

```
dpkg-query --showformat='${Version}\n' --show libgpgme11t64 libgpgme11 
2>/dev/null | head --lines=1
```

If I remove the head I got the two lines, one empty, one with the 
version of libgpgme11t64:

```
dpkg-query --showformat='${Version}\n' --show libgpgme11t64 libgpgme11 
2>/dev/null

1.18.0-6+b1
```

At the beginning I just moved forward by removing libgpgme11 out of the 
dpkg-query statement but I ended up writing this. Hope it's useful:

```
# GPGME needs GnuPG
gpg=/usr/bin/gpg

libgpgme11_package=libgpgme11
codename=`lsb_release -cs`
if [ "$codename" = "trixie" ] || [ "$codename" = "noble" ]
then
     libgpgme11_package=libgpgme11t64
fi

libgpgme11_version="`dpkg-query --showformat='${Version}\n' --show 
$libgpgme11_package 2>/dev/null | head --lines=1`"
```

Thanks for developing mandos. I've been using it since 2016 and it's 
been a blessing.

Best,

-- 
Pablo Abelenda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20241022/f84b4ad8/attachment.sig>