[Bug 2125687] Re: Fail to upgrade from plucky to questing in a basic Ubuntu

Thu Sep 25 15:26:16 UTC 2025

some quick notes:

* being run in a very minimal environment (in this case a base~ish container)
* `gnupg` is generally available on server and desktop, but not in _all_ situations (such as a cloud-minimal install)
* since we're only doing verification here, `gpgv` seems a more appropriate answer.

I'm not sure if we consider a container upgrade "supported", but cloud-
minimal is a supported path. We should add a dependency on `gpgv` and
use that for verification of download signatures. Worth checking all the
code to see if we're calling `gpg` anywhere else.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2125687

Title:
  Fail to upgrade from plucky to questing in a basic Ubuntu

Status in ubuntu-release-upgrader package in Ubuntu:
  New
Status in ubuntu-release-upgrader source package in Plucky:
  New

Bug description:
  Reproducer is very straightforward:
  ```
  podman run -it ubuntu:plucky sh -c "apt update && apt upgrade -y && apt install -y ubuntu-release-upgrader-core && do-release-upgrade -d"
  ```
  This is an interactive session, so make sure to provide answers.

  Just when confirming the upgrade, the tool instantly crashes, complaining about a missing `gpg`:
  ```
  Continue [yN] y
  Get:1 Upgrade tool signature [833 B]
  Get:2 Upgrade tool [966 kB]
  Fetched 967 kB in 0s (0 B/s)
  /usr/lib/python3/dist-packages/DistUpgrade/DistUpgradeFetcherCore.py:180: Warning: W:Download is performed unsandboxed as root as file 'questing.tar.gz.gpg' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
    result = fetcher.run()
  authenticate 'questing.tar.gz' against 'questing.tar.gz.gpg'
  Traceback (most recent call last):
    File "/usr/bin/do-release-upgrade", line 229, in <module>
      fetcher.run()
      ~~~~~~~~~~~^^
    File "/usr/lib/python3/dist-packages/DistUpgrade/DistUpgradeFetcherCore.py", line 215, in run
      if not self.authenticate():
             ~~~~~~~~~~~~~~~~~^^
    File "/usr/lib/python3/dist-packages/DistUpgrade/DistUpgradeFetcherCore.py", line 104, in authenticate
      if self.gpgauthenticate(f, sig):
         ~~~~~~~~~~~~~~~~~~~~^^^^^^^^
    File "/usr/lib/python3/dist-packages/DistUpgrade/DistUpgradeFetcherCore.py", line 119, in gpgauthenticate
      ret = subprocess.call(gpg, stderr=subprocess.PIPE)
    File "/usr/lib/python3.13/subprocess.py", line 395, in call
      with Popen(*popenargs, **kwargs) as p:
           ~~~~~^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.13/subprocess.py", line 1039, in __init__
      self._execute_child(args, executable, preexec_fn, close_fds,
      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                          pass_fds, cwd, env,
                          ^^^^^^^^^^^^^^^^^^^
      ...<5 lines>...
                          gid, gids, uid, umask,
                          ^^^^^^^^^^^^^^^^^^^^^^
                          start_new_session, process_group)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.13/subprocess.py", line 1969, in _execute_child
      raise child_exception_type(errno_num, err_msg, err_filename)
  FileNotFoundError: [Errno 2] No such file or directory: 'gpg'
  ```

  Working around that is as simple as installing `gnupg` alongside `ubuntu-release-upgrader-core`, and for that reason, the bug usually doesn't happen on less basic installation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2125687/+subscriptions