GPG verification fails on some Mac machines

[Haroon-Khel]

While running the playbook via awx

TASK [adoptopenjdk_install : GPG Signature verification (macOS)] ***************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: NoneType: None
fatal: [test-macstadium-macos1015-x64-1]: FAILED! => {"changed": true, "msg": "non-zero return code", "rc": 2, "stderr": "Shared connection to 207.254.28.171 closed.\r\n", "stderr_lines": ["Shared connection to 207.254.28.171 closed."], "stdout": "gpg: directory '/var/root/.gnupg' created\r\ngpg: keybox '/var/root/.gnupg/pubring.kbx' created\r\n
gpg: error running '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr': terminated\r\n
gpg: failed to start dirmngr '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr': General error\r\n
gpg: can't connect to the dirmngr: General error\r\ngpg: keyserver receive failed: No dirmngr\r\n", "stdout_lines": ["gpg: directory '/var/root/.gnupg' created", "gpg: keybox '/var/root/.gnupg/pubring.kbx' created", "gpg: error running '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr': terminated", "gpg: failed to start dirmngr '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr':…

I have not looked too deep into this ie whether this affects all of our mac boxes

to do:

• Run on other mac boxes
• Run in a command line environment
• Run outside of playbook, ie with package_signature_verification.sh directly

[sxa]

Blocks #2908

[Haroon-Khel]

This error does not show up on build-macstadium-macos11-arm64-1 and 2

[Haroon-Khel]

The error occurs at the key import step

administrator@test-macstadium-macos1015-x64-1 ~ % gpg --keyserver keyserver.ubuntu.com --recv-keys "3B04D753C9050D9A5D343F39843C48A565F8F04B"
gpg: error running '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr': terminated
gpg: failed to start dirmngr '/usr/local/Cellar/gnupg/2.3.1_1/bin/dirmngr': General error
gpg: can't connect to the dirmngr: General error
gpg: keyserver receive failed: No dirmngr

[Haroon-Khel]

Running dirmngr directly

administrator@test-macstadium-macos1015-x64-1 ~ % dirmngr 
dyld: Library not loaded: /usr/local/opt/libffi/lib/libffi.7.dylib
  Referenced from: /usr/local/opt/p11-kit/lib/libp11-kit.0.dylib
  Reason: image not found
zsh: abort      dirmngr

[Haroon-Khel]

Reinstalling libffi seemed to fix it

administrator@test-macstadium-macos1015-x64-1 ~ % dirmngr
dirmngr[10747.0]: permanently loaded certificates: 133
dirmngr[10747.0]:     runtime cached certificates: 0
dirmngr[10747.0]:            trusted certificates: 133 (132,0,0,1)
dirmngr[10747.0]: failed to open cache dir file '/Users/administrator/.gnupg/crls.d/DIR.txt': No such file or directory
dirmngr[10747.0]: creating directory '/Users/administrator/.gnupg/crls.d'
dirmngr[10747.0]: new cache dir file '/Users/administrator/.gnupg/crls.d/DIR.txt' created
# Home: /Users/administrator/.gnupg
# Config: /Users/administrator/.gnupg/dirmngr.conf
OK Dirmngr 2.3.1 at your service
^C

And now the key imports. Not sure what caused the broken/missing library

[Haroon-Khel]

On the 10.14 machines, its libunistring thats missing a library, #3049 (comment) is 10.15

test-macstadium-macos1014-x64-1:~ administrator$ dirmngr
dyld: Library not loaded: /usr/local/opt/libunistring/lib/libunistring.2.dylib
  Referenced from: /usr/local/opt/gnutls/lib/libgnutls.30.dylib
  Reason: image not found
Abort trap: 6

[Haroon-Khel]

Reinstalling libunistring did not fix the issue on the 10.14 machines

[Haroon-Khel]

On both 10.14 and 10.15 the solution is to brew upgrade p11-kit to its latest, 0.24.1_1 , and then on 10.14 only to make the link /usr/local/opt/libunistring/lib/libunistring.2.dylib -> libunistring.5.dylib

[Haroon-Khel]

Issue is resolved