From 3634fb323634035c58d11d289a59d9ca22f63ee2 Mon Sep 17 00:00:00 2001 From: Rich Lander Date: Thu, 18 Jun 2026 06:12:09 -0700 Subject: [PATCH] Use gpgv instead of gpg for Release signature verification install-debs.py verified the APT Release signature with "gpg --keyring --verify". On hosts running GnuPG 2.4+ with keyboxd (e.g. Azure Linux 4.0), routing verification through gpg's agent/keyboxd machinery is fragile and can fail, forcing downstream consumers to patch the cloned arcade script. gpgv is the purpose-built detached-signature verifier: it checks a signature against a fixed keyring with no agent, no keyboxd, and no mutation of any keyring. It is available wherever gpg is used for this path (same gnupg2 package on Azure Linux; an Essential package on Debian/Ubuntu), and the debootstrap rootfs path already relies on it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- eng/common/cross/install-debs.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/eng/common/cross/install-debs.py b/eng/common/cross/install-debs.py index 20ca770a1e2..1d1dfabf7dc 100755 --- a/eng/common/cross/install-debs.py +++ b/eng/common/cross/install-debs.py @@ -121,10 +121,14 @@ async def fetch_release_file(session, mirror, suite, keyring): await download_file(session, release_gpg_url, release_gpg_file.name) print("Verifying signature of Release with Release.gpg.") - verify_command = ["gpg"] + # Use gpgv rather than gpg for verification. gpgv verifies a detached + # signature against a fixed keyring without involving gpg-agent or + # keyboxd, which makes it robust on hosts running GnuPG 2.4+ (e.g. Azure + # Linux) where "gpg --keyring" routes through keyboxd and can fail. + verify_command = ["gpgv"] if keyring: verify_command += ["--keyring", keyring] - verify_command += ["--verify", release_gpg_file.name, release_file.name] + verify_command += [release_gpg_file.name, release_file.name] result = subprocess.run(verify_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if result.returncode != 0: