BuilderV2 tries to kill GPG agent and fails with split-gpg2

[ben-grande]

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

I use split-gpg2 in the qubes-builder qube that holds the builder configuration.

This was working before (in the end of July)... for know, as it is only the prep stage, I will disable split-gpg2-client on the client.

Steps to reproduce

Enable split-gpg2-client in the builder qube, configure the GPG agent on the target to have the necessary keys on the correct folder.

Expected behavior

Builder can verify repository.

Actual behavior

Builder conf (qusal-builder/keys has my key):

---

git:
  baseurl: https://github.com
  prefix: ben-grande/
  branch: main
  maintainers:
    - DF3834875B65758713D92E91A475969DE4E371E3

key-dirs:
  - ../qusal-builder/keys/
backend-vmm: xen
debug: true
verbose: true
qubes-release: r4.2
timeout: 3600

skip-git-fetch: false
fetch-versions-only: false

distributions:
  - host-fc37

components:
  - builder-rpm:
      branch: main
      packages: false
      url: https://github.com/QubesOS/qubes-builder-rpm
      maintainers:
        - 0064428F455451B3EBE78A7F063938BA42CFA724
  - qubes-qvm-screenshot-tool:
      branch: master
      verification-mode: less-secure-signed-commits-sufficient
      maintainers:
        - DF3834875B65758713D92E91A475969DE4E371E3

Builder logs

$ ./qb package fetch
[qb] Running stage 'fetch'
[qb.fetch.builder-rpm] builder-rpm: source already fetched. Updating.
[qb.fetch.builder-rpm.fetch] Using executor local:/tmp/140673940816048fd458227/builder to run '['bash', '-c', 'cd /tmp/140673940816048fd458227/builder&&/tmp/140673940816048fd458227/builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-builder-rpm /tmp/140673940816048fd458227/builder/builder-rpm /tmp/140673940816048fd458227/builder/keyring /tmp/140673940816048fd458227/builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 0064428F455451B3EBE78A7F063938BA42CFA724']'.
[qb.fetch.builder-rpm.fetch] --> Verifying tags...
[qb.fetch.builder-rpm.fetch] ---> Good tag 3831ffef1f4654be4ce56c0967cd607224136858.
[qb.fetch.builder-rpm.fetch] Enough distinct tag signatures. Found 1, mandatory minimum is 1.
[qb.fetch.builder-rpm.fetch] --> Merging...
[qb.fetch.builder-rpm] Log file: /home/user/src/qubes-builderv2/artifacts/logs/20240925T162244-builder-rpm.log
[qb.fetch.qubes-qvm-screenshot-tool.fetch] Using executor local:/tmp/1406739610283681e580c76/builder to run '['bash', '-c', 'cd /tmp/1406739610283681e580c76/builder&&/tmp/1406739610283681e580c76/builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/ben-grande/qubes-qvm-screenshot-tool.git /tmp/1406739610283681e580c76/builder/qubes-qvm-screenshot-tool /tmp/1406739610283681e580c76/builder/keyring /tmp/1406739610283681e580c76/builder/plugins/fetch/keys --git-branch master --minimum-distinct-maintainers 1 --maintainer DF3834875B65758713D92E91A475969DE4E371E3 --less-secure-signed-commits-sufficient']'.
[qb.fetch.qubes-qvm-screenshot-tool.fetch] --> Verifying tags or commits...
[qb.fetch.qubes-qvm-screenshot-tool.fetch] Cannot find /tmp/1406739610283681e580c76/builder/plugins/fetch/keys/DF3834875B65758713D92E91A475969DE4E371E3.asc
[qb] An error occurred: Failed to run '['bash', '-c', 'cd /tmp/1406739610283681e580c76/builder&&/tmp/1406739610283681e580c76/builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/ben-grande/qubes-qvm-screenshot-tool.git /tmp/1406739610283681e580c76/builder/qubes-qvm-screenshot-tool /tmp/1406739610283681e580c76/builder/keyring /tmp/1406739610283681e580c76/builder/plugins/fetch/keys --git-branch master --minimum-distinct-maintainers 1 --maintainer DF3834875B65758713D92E91A475969DE4E371E3 --less-secure-signed-commits-sufficient']' (status=1).
[qb]
Traceback (most recent call last):
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_base.py", line 76, in __call__
    rv = self.main(*args, standalone_mode=False, **kwargs)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/core.py", line 1719, in invoke
    rv.append(sub_ctx.command.invoke(sub_ctx))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/click/decorators.py", line 45, in new_func
    return f(get_current_context().obj, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_package.py", line 63, in fetch
    _component_stage(
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_package.py", line 41, in _component_stage
    p.run(stage=stage_name)
  File "/home/user/src/qubes-builderv2/qubesbuilder/plugins/fetch/__init__.py", line 185, in run
    executor.run(cmd, copy_in, copy_out, environment=self.environment)
  File "/home/user/src/qubes-builderv2/qubesbuilder/executors/local.py", line 193, in run
    raise e
  File "/home/user/src/qubes-builderv2/qubesbuilder/executors/local.py", line 169, in run
    raise ExecutorError(msg)
qubesbuilder.executors.ExecutorError: Failed to run '['bash', '-c', 'cd /tmp/1406739610283681e580c76/builder&&/tmp/1406739610283681e580c76/builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/ben-grande/qubes-qvm-screenshot-tool.git /tmp/1406739610283681e580c76/builder/qubes-qvm-screenshot-tool /tmp/1406739610283681e580c76/builder/keyring /tmp/1406739610283681e580c76/builder/plugins/fetch/keys --git-branch master --minimum-distinct-maintainers 1 --maintainer DF3834875B65758713D92E91A475969DE4E371E3 --less-secure-signed-commits-sufficient']' (status=1).

GPG agent logs:

Using GnuPG home directory /home/user/.gnupg/split-gpg/qubes-builder
A >>>: OK Pleased to meet you, process 3072
C <<<: OK Pleased to meet you, process 3072
C >>>: RESET
A <<<: RESET
A >>>: OK
C <<<: OK
C >>>: OPTION ttyname=/dev/pts/1
C <<<: OK
C >>>: OPTION ttytype=screen-256color
C <<<: OK
C >>>: OPTION display=:0
A <<<: OPTION display=:0
A >>>: ERR 67109115 Forbidden <GPG Agent>
C <<<: ERR 67109115 Forbidden <GPG Agent>
C >>>: GETINFO restricted
A <<<: GETINFO restricted
A >>>: OK
C <<<: OK
C >>>: KILLAGENT

Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 502, in handle_command
    command = self.commands[untrusted_cmd]
              ~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: b'KILLAGENT'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 504, in handle_command
    raise Filtered from e
splitgpg2.Filtered

Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 502, in handle_command
    command = self.commands[untrusted_cmd]
              ~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: b'KILLAGENT'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/splitgpg2/__init__.py", line 504, in handle_command
    raise Filtered from e
splitgpg2.Filtered
C <<<: ERR 67109888 Command filtered by split-gpg2.
command filtered out; Closing!
C >>>:

[ben-grande]

Oh well, I got a typo in the key, but the killagent still seems a bit weird. After fixing the key typo, it doesn't make the call fail anymore, killagent is ignored of course.