gpgv: Can't check signature: No public key

[vchrizz]

according to the docs i have generated a key (as user jenkins) with gpg and set KEY_ID in /etc/jenkins/debian_glue to the id of the key to sign packages which seems to work for -source job, but for job -binaries, regardless which project, even with job jenkins-debian-glue-binaries i get following messages from gpgv.
also tried to generate the key as user root or export from user jenkins and import to user root to have same key for signing and verifying but anyhow i dont get this working.
i noticed gpgv is looking for ~/.gnupg/trustedkeys.kbx whereas gpg defaults to ~/.gnupg/pubring.kbx so gpgv wants to access a file which does not exist.
even tried to set REPOSITORY_KEYRING to that file, which didnt work either.
then i tried to copy pubring.kbx to trustedkeys.kbx but the verification by gpgv still fails with same messages:

I: Copying source file
I: copying [/var/lib/jenkins/jobs/jenkins-debian-glue-binaries/workspace/architecture/amd64/jenkins-debian-glue_0.18.4+0~20181103133514.1~1.gbp525467.dsc]
I: copying [/var/lib/jenkins/jobs/jenkins-debian-glue-binaries/workspace/architecture/amd64/jenkins-debian-glue_0.18.4+0~20181103133514.1~1.gbp525467.tar.xz]
I: Extracting source
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/root/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Sat Nov  3 13:35:35 2018 UTC
gpgv:                using RSA key A8EAE53F804C4A4A9D666E7EAB22A3E749847E5F
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./jenkins-debian-glue_0.18.4+0~20181103133514.1~1.gbp525467.dsc
dpkg-source: info: extracting jenkins-debian-glue in jenkins-debian-glue-0.18.4+0~20181103133514.1~1.gbp525467
dpkg-source: info: unpacking jenkins-debian-glue_0.18.4+0~20181103133514.1~1.gbp525467.tar.xz
I: Installing the build-deps

[mika]

This looks like to be https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852019

[vchrizz]

could so far debug this as i am able now to properly validate manually on shell.
the issue seems to be the used keyring file which somewhere seems to be set to:
~/.gnupg/trustedkeys.kbx but then at validating gpgv uses keyfile:
~/.gnupg/pubkeys.kbx per default.
so by generating a key with setting --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx then exporting and importing it (without option --keyring) to pubkeys.kbx lets us properly use gpgv *.dsc in the jobs -source workspace.
i just could not figure out how to copy and import the key into the cowbuilder image to be used there for proper validation.

reading through the debian bug, which i also found while googling - just wasnt sure if applicable, i came up with the question to use gpg2 for j-d-g also ?

[mika]

Thanks for sharing your finding regarding the keyring, I'm wondering whether we should document this somewhere, like in j-d-g's FAQ?

Regarding usage in cowbuilder image: you need to do this inside /var/cache/pbuilder/base*.cow to make sure it's persistent, once the gpg *.dsc works there when checked manually it should™ also work in automated/build mode.

Unless I'm mistaken usage of gpg2 should just-work and be a transparent replacement from j-d-g's PoV.

[vchrizz]

how would i make that in /var/cache/pbuilder/base*.cow ? as far as i understood, it is beeing generated when jobs run? so i thought about putting following commands somewhere to be used on generating.
putting this as shell command to be run before building does not work, so im looking for a place where to put this in so its beeing executed the right moment.

sudo -u jenkins cat >foo <<EOF
    %echo Generating a basic OpenPGP key
    # Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2.
    Key-Type: RSA
    Key-Length: 4096
    Subkey-Type: RSA
    Subkey-Length: 4096
    Name-Real: Jenkins Debian Glue
    #Name-Comment: automated key for signing # Debian recommends to let comment field empty
    Name-Email: jenkins@$HOSTNAME
    Expire-Date: 0
    #Passphrase: ${jenkinspass}
    %no-protection
    # Do a commit here, so that we can later print "done" :-)
    %commit
    %echo done
EOF
# generate gpg key for user jenkins
sudo -u jenkins gpg --no-default-keyring --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx --batch --generate-key foo
# export key as user jenkins for user root, import key as user root
sudo -u jenkins gpg --no-default-keyring --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx --export-secret-keys > /var/lib/jenkins/.gnupg/.private.key
gpg --no-default-keyring --keyring /root/.gnupg/trustedkeys.kbx --import /var/lib/jenkins/.gnupg/.private.key
# import gpg key also into default pubring.kbx for user jenkins and root
sudo -u jenkins gpg --import /var/lib/jenkins/.gnupg/.private.key
gpg --import /var/lib/jenkins/.gnupg/.private.key

[nuxwin]

@mika @vchrizz

I'm also fighting with that problem ATM...

The trustedkeys.kbx file is the default file searched by gpgv but when it is run through dpkg-source (what is done during build process for source package extraction), the keyring is explicitely set to something like:

$VAR1 = [
          'gpgv',
          '--keyring',
          '/var/lib/jenkins/.gnupg/trustedkeys.gpg',
          '--keyring',
          '/usr/share/keyrings/debian-keyring.gpg',
          '--keyring',
          '/usr/share/keyrings/debian-maintainers.gpg',
          '../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc'
        ];

See /usr/share/perl5/Dpkg/Source/Package.pm:

...
sub check_signature {
    my $self = shift;
    my $dsc = $self->get_filename();
    my @exec;

    if (find_command('gpgv2')) {
        push @exec, 'gpgv2';
    } elsif (find_command('gpgv')) {
        push @exec, 'gpgv';
    } elsif (find_command('gpg2')) {
        push @exec, 'gpg2', '--no-default-keyring', '-q', '--verify';
    } elsif (find_command('gpg')) {
        push @exec, 'gpg', '--no-default-keyring', '-q', '--verify';
    }
    if (scalar(@exec)) {
        if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") {
            push @exec, '--keyring', "$ENV{HOME}/.gnupg/trustedkeys.gpg";
        }
        foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) {
            if (-r $vendor_keyring) {
                push @exec, '--keyring', $vendor_keyring;
            }
        }
        push @exec, $dsc;

# Added by me for debugging
use Data::Dumper;
print Dumper(\@exec);
...

The first keyring is the one of the $HOME/.gnupg. So, because cowbuilder is run through SUDO, I've changed my /etc/sudoers.d/jenkins conffile to include the HOME environment variable as follows:

## Deployed via jenkins_debian_glue.pp

# Make sure DEB_* options reach cowbuilder, like e.g.:
#  export DEB_BUILD_OPTIONS="parallel=8" /usr/bin/build-and-provide-package
Defaults env_keep+="HOME DEB_* DIST ARCH ADT"

# for *-binaries job
jenkins ALL=NOPASSWD: /usr/sbin/cowbuilder, /usr/sbin/chroot
# for *-piuparts job
jenkins ALL=NOPASSWD: /usr/sbin/piuparts, /usr/sbin/debootstrap, /usr/bin/piuparts_wrapper

This is to be sure that the keyring will be searched in the $HOME of my jenkins user and not the root user...

gpgv is really confusing us because even if the keyring is set to something other than default, and if that keyring doesn't exits, the confusing error message will be logged:

jenkins@jenkins:~$ sudo DEB_DIST_ID=debian DIST=stretch ARCH=amd64 ADT=skip cowbuilder --login --basepath /var/cache/pbuilder/base-stretch-amd64.cow --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.20163
I: forking: cp -al /var/cache/pbuilder/base-stretch-amd64.cow /var/cache/pbuilder/build/cow.20163
I: removed stale ilistfile /var/cache/pbuilder/build/cow.20163/.ilist
I: Invoking pbuilder
I: forking: pbuilder login --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.20163 --mirror http://deb.debian.org/debian --distribution stretch --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.20163 cow-shell'
W: /var/lib/jenkins/.pbuilderrc does not exist
Distribution set to stretch
Mirror set to http://deb.debian.org/debian
Components set to main contrib non-free
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-apt
I: Running in no-targz mode
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: mounting /dev/pts/0 over /dev/console
I: Mounting /var/lib/jenkins
I: policy-rc.d already exists
I: using eatmydata during job
I: Obtaining the cached apt archive contents
I: entering the shell
root@jenkins:/# cd /var/lib/jenkins/.gnupg/
root@jenkins:~/.gnupg# rm -rf ./tmp && dpkg-source --require-valid-signature -x ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc /var/lib/jenkins/.gnupg/tmp
dpkg-source: info: extracting openssl1.0 in /var/lib/jenkins/.gnupg/tmp
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
root@jenkins:~/.gnupg# mv trustedkeys.gpg trustedkeys.gpg-
root@jenkins:~/.gnupg# rm -rf ./tmp && dpkg-source --require-valid-signature -x ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc /var/lib/jenkins/.gnupg/tmp
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/var/lib/jenkins/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Fri Nov  9 09:51:34 2018 UTC
gpgv:                using RSA key 8D1AB58E0F4B31E7B27B3C361548CEA469A0BDC9
gpgv: Can't check signature: No public key
dpkg-source: error: failed to verify signature on ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
root@jenkins:~/.gnupg# logout
I: Copying back the cached apt archive contents
I: unmounting /var/lib/jenkins filesystem
I: unmounting dev/console filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.20163
jenkins@jenkins:~$

As you can see above, I can verify the source package when login in pbuilder environment manually (through cowbuilder) if the trustedkeys.gpg file exists (that's the file in which I've added my key as expected by dpkg-source)... However, once I delete that file, I receive the confusing error about the trustedkeys.kbx file.

To resume, right now, I'm able to login manually in the pbuilder environment through cownbuilder, then mount my jenkins user $HOME into the chroot, then verify the source package as expected through dpkg-source when extracting it. However, when I do the same thing via j-d-g, I receive the confusing error message, even if my jenkins user $HOME get mounted as expected... I'm still investigating.

Regarding my pbuilderrc conffile, it look as follows:

root@jenkins:/etc/jenkins# cat pbuilderrc 

# pbuilder configuration file automatically passed-in by j-d-g
# See https://manpages.debian.org/stretch/pbuilder/pbuilderrc.5.en.html

# Only for cowbuilder (update process)
# cowbuilder doesn't care about the DIST variable and fallback to 'sid' if no
# --distribution is passed-in...
DISTRIBUTION=$DIST

echo "Distribution set to ${DISTRIBUTION}"

# We care only about error messages from pbuilder
#LOGLEVEL=E

# Set mirror and components to use, according distributor ID
if [ "$DEB_DIST_ID" = "debian" ]; then
  MIRRORSITE="http://deb.debian.org/debian"
  COMPONENTS="main contrib non-free"
else
  MIRRORSITE="http://fr.archive.ubuntu.com/ubuntu"
  COMPONENTS="main restricted universe multiverse"
fi

echo "Mirror set to ${MIRRORSITE}"
echo "Components set to ${COMPONENTS}"

# Setup dependencies resolver according distribution codename and architecture
# - aptitude resolver doesn't work with qemu-user-static
# - apt resolver is not provided by jessie, trusty and xenial
case "$DISTRIBUTION" in
 jessie|trusty|xenial) case "$ARCH" in
     i386|amd64) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-aptitude" ;;
     *) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-classic" ;;
 esac ;;
 *) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-apt" ;;
esac

echo "Build dependencies resolver set to ${PBUILDERSATISFYDEPENDSCMD}"

BINDMOUNTS="/var/lib/jenkins"

@mika

Unless I'm mistaken usage of gpg2 should just-work and be a transparent replacement from j-d-g's PoV.

From my point of view, this has nothing to do with j-d-g... dpkg-source call is part of cowbuilder / pbuilder build process... and gpgv get called as second choice by the underlying /usr/share/perl5/Dpkg/Source/Package.pm Perl package... (see above for the workflow).

@vchrizz

Making the changes persistent is not a good solution because you have to do that for all variants (all you cows).. What we want here is to make our GPG key available for the verification of the source package during build process, when it get extracted. The right solution from my point of view is to make sure that the key is added in the trustedkeys.gpg file of the jenkins user, then make sure that the $HOME point to the jenkins user (as explained above), and then to mount the jenkins user $HOME inside the chroot at runtime through --bindmount option or BINDMOUNTS environment variable.

Now, if you want persit with the @mika solution, you can make your changes persistent by copying your files in the unmounted cow(s) which you can find in the /var/cache/builder directory. For instance: /var/cache/pbuilder/base-stretch-amd64.cow/

[nuxwin]

@mika @vchrizz

I think, I did figured out...

So, by default, dpkg-source is run as self-created pbuilder user and of course, that user cannot access the /var/lib/jenkins/.gnupg directory:

jenkins@jenkins:~$ LANG=C sudo DEB_DIST_ID=debian DIST=stretch ARCH=amd64 ADT=skip GNUPGHOME=/var/lib/jenkins/.gnupg cowbuilder --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-stretch-amd64.cow --bindmounts "/var/lib/jenkins" --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.10920
I: forking: cp -al /var/cache/pbuilder/base-stretch-amd64.cow /var/cache/pbuilder/build/cow.10920
I: removed stale ilistfile /var/cache/pbuilder/build/cow.10920/.ilist
I: forking: chroot /var/cache/pbuilder/build/cow.10920 cowdancer-ilistcreate /.ilist 'find . -xdev -path ./home -prune -o \( \( -type l -o -type f \) -a -links +1 -print0 \) | xargs -0 stat --format '%d %i ''
I: Invoking pbuilder
I: forking: pbuilder build --bindmounts /var/lib/jenkins --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.10920 --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --mirror http://deb.debian.org/debian --architecture amd64 --distribution stretch --extrapackages 'eatmydata ' --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.10920 cow-shell' /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
W: /var/lib/jenkins/.pbuilderrc does not exist
Distribution set to stretch
Mirror set to http://deb.debian.org/debian
Components set to main contrib non-free
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-apt
I: Running in no-targz mode
I: pbuilder: network access will be disabled during build
I: Current time: Fri Nov  9 21:16:21 CET 2018
I: pbuilder-time-stamp: 1541794581
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: Mounting /var/lib/jenkins
I: policy-rc.d already exists
I: using eatmydata during job
I: Obtaining the cached apt archive contents
I: Copying source file
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p.orig.tar.gz]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz]
I: Extracting source
/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
openssl1.0-1.0.2p
Unshare   : unshare -n -- /usr/lib/pbuilder/pbuilder-unshare-wrapper
Chrootexec: chroot /var/cache/pbuilder/build/cow.10920 cow-shell eatmydata
Sutouser  :  LD_PRELOAD= LOGNAME=pbuilder USER=pbuilder /sbin/start-stop-daemon --start --pidfile /dev/null --chuid pbuilder --startas /bin/sh
$VAR1 = {
          'PBUILDER_PKGLIBDIR' => '/usr/lib/pbuilder',
          'SUDO_COMMAND' => '/usr/sbin/cowbuilder --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-stretch-amd64.cow --bindmounts /var/lib/jenkins --configfile=/etc/jenkins/pbuilderrc',
          'SUDO_GID' => '112',
          'USERNAME' => 'root',
          '_' => '/usr/bin/unshare',
          'GNUPGHOME' => '/var/lib/jenkins/.gnupg',
          'USER' => 'pbuilder',
          'SUDO_USER' => 'jenkins',
          'PATH' => '/usr/sbin:/usr/bin:/sbin:/bin',
          'LD_LIBRARY_PATH' => '/usr/lib/libeatmydata',
          'MAIL' => '/var/mail/root',
          'SUDO_UID' => '108',
          'ARCH' => 'amd64',
          'LD_PRELOAD' => '',
          'DEBIAN_FRONTEND' => 'noninteractive',
          'DEB_DIST_ID' => 'debian',
          'PBUILDER_OPERATION' => 'build',
          'SHELL' => '/bin/bash',
          'COWDANCER_ILISTFILE' => '/.ilist',
          'HOME' => '/var/lib/jenkins',
          'LC_ALL' => 'C',
          'LS_COLORS' => 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:',
          'OLDPWD' => '/',
          'ADT' => 'skip',
          'PBUILDER_SYSCONFDIR' => '/etc',
          'LOGNAME' => 'pbuilder',
          'PBCURRENTCOMMANDLINEOPERATION' => 'build',
          'COWDANCER_REUSE' => 'yes',
          'PWD' => '/build',
          'TERM' => 'xterm-256color',
          'SHLVL' => '2',
          'LANG' => 'C',
          'PBUILDER_PKGDATADIR' => '/usr/share/pbuilder',
          'DIST' => 'stretch'
        };
ls: cannot open directory '/var/lib/jenkins/.gnupg': Permission denied
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/var/lib/jenkins/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Fri Nov  9 09:51:34 2018 UTC
gpgv:                using RSA key 8D1AB58E0F4B31E7B27B3C361548CEA469A0BDC9
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
dpkg-source: info: extracting openssl1.0 in openssl1.0-1.0.2p
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
I: unmounting /var/lib/jenkins filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.10920

I'll post the solution in few minutes.

[nuxwin]

@vchrizz @mika

Solution

Assuming that your GPG key is owned by the jenkins user.

1. Create the pbuilder user:

jenkins@jenkins:~$ su -c "useradd -c 'Pbuilder build user' -m -U -s /bin/bash pbuilder"

Note that this user is only created to avoid building package as root user. The purpose of that user is to make the keyring available for the source package signature verification during the build process.

2. Export the GPG key into the trustedkeys.gpg keyring and copy that keyring into the pbuilder user ~/.gnupg directory:

jenkins@jenkins:~$ gpg --export <KEY_ID> | gpg --no-default-keyring --keyring ~/trustedkeys.gpg --import -
jenkins@jenkins:~$ su
root@jenkins:/var/lib/jenkins# su -c 'gpg -k && cp -a /var/lib/jenkins/trustedkeys.gpg ~/.gnupg/trustedkeys.gpg' pbuilder
root@jenkins:/var/lib/jenkins# exit
jenkins@jenkins:~$ rm trustedkeys.gpg*

Note regarding the trustedkeys.gpg keyring

If you export your GPG key with a GPG version >= 2.1, the trustedkeys.gpg keyring will be in new format (keybox). Therefore, older GPG versions will not be able to read it, leading to signature verification failure when building for older distributions. The best is to export the key in older format to make it readable by all GPG versions. That is really an important point as GPG versions >= 2.1 isn't available in older distributions (Debian <= 9.0, Ubuntu < 17.10). Basically, you need to:

• Export the key in ASCII-armored format and import it into the trustedkeys.gpg keyring using older GPG (< 2.1) version
• Copy the trustedkeys.gpg keyring which will be readable by all GPG versions.

3. In your /etc/jenkins/pbuilderrc file, add:

BUILDUSERNAME=pbuilder
BUILDUSERID=$(getent passwd pbuilder | awk -F ':' '{print $3}')
HOME=$(getent passwd pbuilder | awk -F ':' '{print $6}')
BINDMOUNTS=$HOME

Then, you're done.

Result

jenkins@jenkins:~$ LANG=C sudo DEB_DIST_ID=ubuntu DIST=trusty ARCH=amd64 ADT=skip cowbuilder build --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-trusty-amd64.cow --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.27728
I: forking: cp -al /var/cache/pbuilder/base-trusty-amd64.cow /var/cache/pbuilder/build/cow.27728
I: removed stale ilistfile /var/cache/pbuilder/build/cow.27728/.ilist
I: forking: chroot /var/cache/pbuilder/build/cow.27728 cowdancer-ilistcreate /.ilist 'find . -xdev -path ./home -prune -o \( \( -type l -o -type f \) -a -links +1 -print0 \) | xargs -0 stat --format '%d %i ''
I: Invoking pbuilder
I: forking: pbuilder build --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.27728 --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --mirror http://fr.archive.ubuntu.com/ubuntu --architecture amd64 --distribution trusty --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.27728 cow-shell' /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
W: /root/.pbuilderrc does not exist
Distribution set to trusty
Mirror set to http://fr.archive.ubuntu.com/ubuntu
Components set to main restricted universe multiverse
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-aptitude
I: Running in no-targz mode
I: pbuilder: network access will be disabled during build
I: Current time: Sun Nov 11 20:01:19 CET 2018
I: pbuilder-time-stamp: 1541962879
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: Mounting /home/pbuilder
I: policy-rc.d already exists
I: Obtaining the cached apt archive contents
I: Copying source file
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p.orig.tar.gz]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz]
I: Extracting source
dpkg-source: info: extracting openssl1.0 in openssl1.0-1.0.2p
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
...
I: unmounting /home/pbuilder filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.27728
jenkins@jenkins:~$

[adrelanos]

gpgv supports ~/.gnupg/trustedkeys.kbx but dpkg-source apparently only supports ~/.gnupg/trustedkeys.gpg.