Package: mandos-client
Version: 1.8.16-1.2
Severity: important
Tags: patch
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
After upgrading to trixie, mandos-client is no longer able to unlock
root device, though it does receive encrypted key blob from Mandos
server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Attempted another reboot, verfied that Mandos server was sending
encrypted key blobs as expected, tried again after running
update-initramfs -u -k all.
* What was the outcome of this action?
System did not boot unattended as expected. Instead, manual entry of
LUKS passphrase was required.
* What outcome did you expect instead?
Expected mandos-client to receive key blob, decrypt it, and unlock root
device.
*** End of the template - remove these template lines ***
During investigation, discovered that mandos-client's initramfs-tools
hook script is checking the version of libgpgme11, not libgpgme11t64 on
line 183. Adding the string "t64" to end of the dpkg-query invocation
resolves the issue, and newly built initramfs images do inclue gpg-agent
as expected.
Patch attached.
-- System Information:
Debian Release: trixie/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.9.12-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mandos-client depends on:
ii adduser 3.137
ii cryptsetup 2:2.7.2-2
ii cryptsetup-initramfs 2:2.7.2-2
ii debconf [debconf-2.0] 1.5.87
ii dpkg-dev 1.22.11
ii gnutls-bin 3.8.6-2
ii initramfs-tools 0.142
ii libavahi-common3 0.8-13+b2
ii libavahi-core7 0.8-13+b2
ii libc6 2.39-6
ii libglib2.0-0t64 2.80.4-1
ii libgnutls30t64 3.8.6-2
ii libgpgme11t64 1.18.0-4.1+b2
ii libnl-3-200 3.7.0-0.3
ii libnl-route-3-200 3.7.0-0.3
Versions of packages mandos-client recommends:
ii ssh 1:9.7p1-7
mandos-client suggests no packages.
-- debconf information:
mandos-client/key_id:
--- /usr/share/initramfs-tools/hooks/mandos~ 2024-08-04 16:06:46.576235712
+0000
+++ /usr/share/initramfs-tools/hooks/mandos 2024-08-04 16:07:17.080929585
+0000
@@ -180,7 +180,7 @@
# GPGME needs GnuPG
gpg=/usr/bin/gpg
-libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11`"
+libgpgme11_version="`dpkg-query --showformat='${Version}' --show
libgpgme11t64`"
if dpkg --compare-versions "$libgpgme11_version" ge 1.5.0-0.1; then
if [ -e /usr/bin/gpgconf ]; then
if [ ! -e "${DESTDIR}/usr/bin/gpgconf" ]; then
