"This patch set was created without a push certificate" in Gerrit 2.12

[Henrik Sköllermark]

Hi!

First I want to shout out a big thanks to Dave Borowitz at Google for the GPG additions in 2.12!

Background: I've been a Gerrit administrator at work since version 2.8 and now we use 2.11. We plan to upgrade to 2.12 within the next five months or so, mainly due to the support for GPG verification. Since 2.12 is now out I decided to test it at home on my local PC to play around with GPG signed commits, tags and signed pushes.

I have managed to sign commits and to sign the pushes to Gerrit as well, but I'm confused by the message "This patch set was created without a push certificate" on the change screen.

Here are the important steps of what I did:

1. Initialized gerrit-2.12.war in an empty directory and chose the h2 database type and development_become_any_account as authentication method

2. Logged in as admin to set "Enable signed push" and "Require signed push" to TRUE

3. Created a project named "gpg-test"

4. Created a user "laban" with full name "Henrik Sköllermark" and filled in email address, SSH key and GPG key

5. Cloned the project "gpg-test" using the "laban" user

6. Set the git configuration "user.signingkey" for git to find a GPG key at all

7. Signed a commit:

$ git commit --allow-empty -s -S -m 'Empty signed #4'

You need a passphrase to unlock the secret key for

user: "Henrik Sköllermark (Gerrit test) <REPL...@kryo.se>"

2048-bit RSA key, ID EF7309FF, created 2015-10-21

[master bdb3156] Empty signed #4

8. Verified the GPG signature:

$ git log -1 --show-signature 

commit bdb31560e2245683a235d6fb32f5f1050b7c922e

gpg: Signature made tor 14 jan 2016 21:33:49 CET using RSA key ID EF7309FF

gpg: Good signature from "Henrik Sköllermark (Gerrit test) <REPLACED@kryo.se>"

Author: Henrik Sköllermark <REPLACED@kryo.se>

Date:   Thu Jan 14 21:33:49 2016 +0100

    Empty signed #4

    

    Change-Id: I803d3c93d72fb963d919497c3f83afa8042ec376

    Signed-off-by: Henrik Sköllermark <REPLACED@kryo.se>

9. Sign pushed it for review:

$ git push --signed origin HEAD:refs/publish/master

You need a passphrase to unlock the secret key for

user: "Henrik Sköllermark (Gerrit test) <REPLACED@kryo.se>"

2048-bit RSA key, ID EF7309FF, created 2015-10-21

Counting objects: 1, done.

Writing objects: 100% (1/1), 637 bytes | 0 bytes/s, done.

Total 1 (delta 0), reused 0 (delta 0)

remote: Processing changes: new: 1, refs: 1, done    

remote: 

remote: New Changes:

remote:   http://127.0.0.1:8080/4 Empty signed #4

remote: 

To ssh://la...@localhost.localdomain:29418/gpg-test

 * [new branch]      HEAD -> refs/publish/master

When I visit the change in Gerrit I see "Owner: Henrik Sköllermark ?" and the question mark icon has the alt text "This patch set was created without a push certificate".

Clearly I have signed the push, and the fact that Gerrit accepts the change at all is a proof of that since I have the setting "Require signed push: TRUE" in All-Projects. My idea is that Gerrit can't figure out that it's really me somehow. How does the signature validation work? I have GPG key with ID EF7309FF added to my "laban" account. The account's name is "Henrik Sköllermark" but my name in the GPG key is "Henrik Sköllermark (Gerrit test)". Could that cause some problems? The email address matches however.

Notes:

* During initialization I chose to download and install "Bouncy Castle Crypto SSL v152"

* During initialization I set the admin account's email address to my email address. I later added a bogus email to the admin account and removed my own email address from the admin account using the SSH command "set-account --delete-email" so that I was allowed to add my email address to the "laban" account instead.

* My system in running Fedora 22

Am I doing it wrong or is there a bug in this new feature?

Best regards

Henrik Laban Sköllermark

Malmö, Sweden

[David Ostrovsky]

To ssh://laban@localhost.localdomain:29418/gpg-test

 * [new branch]      HEAD -> refs/publish/master

When I visit the change in Gerrit I see "Owner: Henrik Sköllermark ?" and the question mark icon has the alt text "This patch set was created without a push certificate".

Clearly I have signed the push, and the fact that Gerrit accepts the change at all is a proof of that since I have the setting "Require signed push: TRUE" in All-Projects. My idea is that Gerrit can't figure out that it's really me somehow. How does the signature validation work? I have GPG key with ID EF7309FF added to my "laban" account. The account's name is "Henrik Sköllermark" but my name in the GPG key is "Henrik Sköllermark (Gerrit test)". Could that cause some problems? The email address matches however. 

Notes:

* During initialization I chose to download and install "Bouncy Castle Crypto SSL v152"

* During initialization I set the admin account's email address to my email address. I later added a bogus email to the admin account and removed my own email address from the admin account using the SSH command "set-account --delete-email" so that I was allowed to add my email address to the "laban" account instead.

* My system in running Fedora 22

Am I doing it wrong or is there a bug in this new feature?

One problem that I've found with current implementation is that

the database type for PUSH_CERTIFICATE columnin PATCH_SET

table is too small. With this patch applied: [1], I got this error:

  too long certificate description: 729 allowed only 255 char long

After changing the type of PUSH_CERTFICATE to CLOB, as it's the

case for ACCOUNT_SSH_KEYS.SSH_PUBLIC_KEY column, with:

  alter table PATCH_SETS modify PUSH_CERTFICATE clob

I was able to upload signed push, and the verification just worked: [2].

But If you were able to upload signed push, the database insert operation

worked in your case? Can you check if the PUSH_CERTFICATE column

was populated for your patch set, e.g.:

  select PUSH_CERTFICATE from PATCH_SETS where CHANGE_ID = XXX and PATCH_SET_ID = YYY;

  PUSH_CERTFICATE

  ------------------------------

  certificate version 0.1

  pusher 42ABC...

* [1] http://paste.openstack.org/show/484061

* [2] http://imgur.com/ctVtCGe

[Dave Borowitz]

On Sat, Jan 16, 2016 at 9:13 AM, David Ostrovsky <david.o...@gmail.com> wrote:

On Thursday, January 14, 2016 at 10:34:18 PM UTC+1, Henrik Sköllermark wrote:

Hi!

First I want to shout out a big thanks to Dave Borowitz at Google for the GPG additions in 2.12!

Thanks :)

 

To ssh://la...@localhost.localdomain:29418/gpg-test

Sorry about that, I forgot about this "feature" of gwtorm. Definitely interested to see if the truncation is causing that error.

There may also be a bug though, we should probably have a different error message if verification fails. 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Henrik Sköllermark]

On Sat, Jan 16, 2016 at 3:13 PM, David Ostrovsky <david.o...@gmail.com> wrote:

One problem that I've found with current implementation is that

the database type for PUSH_CERTIFICATE columnin PATCH_SET

table is too small. With this patch applied: [1], I got this error:

  too long certificate description: 729 allowed only 255 char long

After changing the type of PUSH_CERTFICATE to CLOB, as it's the

case for ACCOUNT_SSH_KEYS.SSH_PUBLIC_KEY column, with:

  alter table PATCH_SETS modify PUSH_CERTFICATE clob

I was able to upload signed push, and the verification just worked: [2].

But If you were able to upload signed push, the database insert operation

worked in your case? Can you check if the PUSH_CERTFICATE column

was populated for your patch set, e.g.:

  select PUSH_CERTFICATE from PATCH_SETS where CHANGE_ID = XXX and PATCH_SET_ID = YYY;

  PUSH_CERTFICATE

  ------------------------------

  certificate version 0.1

  pusher 42ABC...

Aha! The patch sets were created but the PUSH_CERTFICATE column (misspelled) is NULL for all my five patch sets on this test instance of Gerrit 2.12.

I see that you have fixed this problem in Change #73879, which I just posted a review comment on. The solution doesn't work for me though.

I tried changing the database schema using

gerrit> alter table PATCH_SETS modify PUSH_CERTFICATE clob

and then starting Gerrit (I made the change using java -jar ... gsql), but the push_certficate column is still NULL when sign pushing a new change.

My error log says nothing except that the PluginScanner seems to reload all my plugins every minute. I don't know if that's a known issue.

Do you have any more ideas what might be wrong? I am surprised that you have content in your push_certficate field.

* [1] http://paste.openstack.org/show/484061

* [2] http://imgur.com/ctVtCGe

Regards

Henrik Sköllermark

[Henrik Sköllermark]

On Mon, Jan 18, 2016 at 10:32 PM, Henrik Sköllermark <la...@kryo.se> wrote:

My error log says nothing except that the PluginScanner seems to reload all my plugins every minute. I don't know if that's a known issue.

Since I think that is a quite severe problem, and I cannot see any previous reported problems, I documented the behavior in Issue 3821. If the error_log is flooded with plugin reloads, it's hard to see if you got other problems.

Regards Henrik 

[David Ostrovsky]

On Monday, January 18, 2016 at 10:32:38 PM UTC+1, Henrik Sköllermark wrote:

On Sat, Jan 16, 2016 at 3:13 PM, David Ostrovsky <david.o...@gmail.com> wrote:

One problem that I've found with current implementation is that

the database type for PUSH_CERTIFICATE columnin PATCH_SET

table is too small. With this patch applied: [1], I got this error:

  too long certificate description: 729 allowed only 255 char long

After changing the type of PUSH_CERTFICATE to CLOB, as it's the

case for ACCOUNT_SSH_KEYS.SSH_PUBLIC_KEY column, with:

  alter table PATCH_SETS modify PUSH_CERTFICATE clob

I was able to upload signed push, and the verification just worked: [2].

But If you were able to upload signed push, the database insert operation

worked in your case? Can you check if the PUSH_CERTFICATE column

was populated for your patch set, e.g.:

  select PUSH_CERTFICATE from PATCH_SETS where CHANGE_ID = XXX and PATCH_SET_ID = YYY;

  PUSH_CERTFICATE

  ------------------------------

  certificate version 0.1

  pusher 42ABC...

Aha! The patch sets were created but the PUSH_CERTFICATE column (misspelled) is NULL for all my five patch sets on this test instance of Gerrit 2.12.

I see that you have fixed this problem in Change #73879, which I just posted a review comment on. The solution doesn't work for me though.

Yeah, I expected that, because in my case i had a SQL error, saying that the

column size is too small. So you might have something different. The easiest

way would be to setup development environment and put a breakpoint. But

I've added this verbose output to ReceiveCommits, to see, if the negotiation

between Git client and JGit was ok: [1]. Could you re-try signed push with this

patch applied?

What Git client version are you using? In my case it is:

  $ git --version

  git version 2.6.2

http://paste.openstack.org/show/484239

[David Pursehouse]

This sounds like the same issue that Dariusz was fixing in [1].  We couldn't reproduce it on stable-2.12, and the fix was abandoned.

[1] https://gerrit-review.googlesource.com/#/c/72518/

 

Regards Henrik 

[Henrik Sköllermark]

On Tue, Jan 19, 2016 at 1:24 PM, David Pursehouse <david.pu...@sonymobile.com> wrote:

On Tue, Jan 19, 2016 at 7:29 AM Henrik Sköllermark <la...@kryo.se> wrote:

On Mon, Jan 18, 2016 at 10:32 PM, Henrik Sköllermark <la...@kryo.se> wrote:

My error log says nothing except that the PluginScanner seems to reload all my plugins every minute. I don't know if that's a known issue.

Since I think that is a quite severe problem, and I cannot see any previous reported problems, I documented the behavior in Issue 3821. If the error_log is flooded with plugin reloads, it's hard to see if you got other problems.

This sounds like the same issue that Dariusz was fixing in [1].  We couldn't reproduce it on stable-2.12, and the fix was abandoned.

[1] https://gerrit-review.googlesource.com/#/c/72518/

 

Just for the record, I can mention that Dariusz's change has been re-opened and that I still see the problem on latest stable-2.12.

This is off topic in this thread though, so I guess we should not discuss the matter here anymore and use the Issue and the Change instead.

[Henrik Sköllermark]

Now I have finally setup a build environment with buck! No Eclipse yet though.

I have tried. I applied the patch and ran "buck build gerrit", copied buck-out/gen/gerrit/gerrit.war, ran java -jar gerrit.war init -d review in the same location as I have used before and chose to update review/bin/gerrit.war. Then I started Gerrit, but I see nothing in error_log when I push. :( So I have some build problems apparently. "git diff" shows that I have applied the patch correctly.

 

What Git client version are you using? In my case it is:

  $ git --version

  git version 2.6.2

I use Git 2.4.3 on Fedora 22.

 

http://paste.openstack.org/show/484239

[David Ostrovsky]

On Wednesday, January 20, 2016 at 12:49:56 AM UTC+1, Henrik Sköllermark wrote:

Now I have finally setup a build environment with buck! No Eclipse yet though.

On Tue, Jan 19, 2016 at 8:27 AM, David Ostrovsky <david.o...@gmail.com> wrote:

On Monday, January 18, 2016 at 10:32:38 PM UTC+1, Henrik Sköllermark wrote:

Aha! The patch sets were created but the PUSH_CERTFICATE column (misspelled) is NULL for all my five patch sets on this test instance of Gerrit 2.12.

I see that you have fixed this problem in Change #73879, which I just posted a review comment on. The solution doesn't work for me though.

Yeah, I expected that, because in my case i had a SQL error, saying that the

column size is too small. So you might have something different. The easiest

way would be to setup development environment and put a breakpoint. But

I've added this verbose output to ReceiveCommits, to see, if the negotiation

between Git client and JGit was ok: [1]. Could you re-try signed push with this

patch applied?

I have tried. I applied the patch and ran "buck build gerrit", copied buck-out/gen/gerrit/gerrit.war, ran java -jar gerrit.war init -d review in the same location as I have used before and chose to update review/bin/gerrit.war. Then I started Gerrit, but I see nothing in error_log when I push. :( So I have some build problems apparently. "git diff" shows that I have applied the patch correctly.

I think this is because stderr output is lost. I amended the patch to write to

the logging system: [1]. With this patch applied, I'm seeing:

[2016-01-21 08:39:21,467] [ReceiveCommits-1] ERROR com.google.gerrit.server.git.ReceiveCommits : PGP certificate: certificate version 0.1

pusher <PGP-key-id> ...

You should also set GIT_TRACE=2 in your shell. With this verbose setting,

git client should tell you, that `gpg` is invoked on signed push attempt:

  $ export GIT_TRACE=2

  $ git push g --signed HEAD:refs/for/master

  08:42:48.860802 run-command.c:338       trace: run_command: 'ssh' '-p' '29418' 'davido@localhost' 'git-receive-pack '\''/test_project'\'''

  08:42:48.989354 run-command.c:338       trace: run_command: 'gpg' '-bsau' '<PGP-key-id>'

  [...]

[1] http://paste.openstack.org/show/484512

[garden...@gmail.com]

My database is mysql (the type of push_certficate  is text), and i met the same problem , that is "After git push --signed successfully, gerrit ui still shows "This patch set was created without a push certificate"", could you help me to check that? Thanks very much in advance.

在 2016年1月19日星期二 UTC+8下午8:24:21，David Pursehouse写道：