Hi all,
I have built GVM 22.4 with all components and synched all feeds successfully… (including notus)
Yet, when the ospd-openvas prcoess is spawned, I get this error:
exec /usr/local/bin/ospd-openvas -f --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o777 --log-level INFO
Traceback (most recent call last):
File “/usr/local/bin/ospd-openvas”, line 8, in
sys.exit(main())
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/daemon.py”, line 1249, in main
daemon_main(‘OSPD - openvas’, OSPDopenvas, NotusParser())
File “/usr/local/lib/python3.9/dist-packages/ospd/main.py”, line 164, in main
daemon.init(server)
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/daemon.py”, line 552, in init
self.update_vts()
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/daemon.py”, line 677, in update_vts
self.nvti.notus.reload_cache()
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/notus.py”, line 84, in reload_cache
if self._verifier(f):
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/gpg_sha_verifier.py”, line 121, in verify
assumed_name = sha256sums().get(hash_sum)
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/gpg_sha_verifier.py”, line 63, in internal_reload
return config.on_verification_failure(None)
File “/usr/local/lib/python3.9/dist-packages/ospd_openvas/daemon.py”, line 452, in on_hash_sum_verification_failure
raise Exception(“GPG verification of notus sha256sums failed”)
Exception: GPG verification of notus sha256sums failed
Is anyone else facing this issue?
Thank you
Thomas
bricks
August 26, 2022, 6:42pm
2
The fog keychain is not set up correctly. Please take a look at Building 22.4 from Source - Greenbone Community Documentation
1 Like
cfi
September 8, 2022, 10:39am
3
Related GitHub issue and PR to throw a better warning / not crash ospd-openvas:
opened 05:13PM - 06 Sep 22 UTC
bug
Running into an error with the latest version 22.4.2 (downgrading back to 22.4.0… resolves the problem).
### Expected behavior
Starting up and running without any issues (like 22.4.0 did and still does for me).
### Actual behavior
Running into the following error since upgrading from 22.4.0 to 22.4.2.
```
Sep 06 18:34:57 hostname ospd-openvas[4407]: Traceback (most recent call last):
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/host/bin/ospd-openvas", line 33, in <module>
Sep 06 18:34:57 hostname ospd-openvas[4407]: sys.exit(load_entry_point('ospd-openvas==22.4.2', 'console_scripts', 'ospd-openvas')())
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/daemon.py", line 1243, in main
Sep 06 18:34:57 hostname ospd-openvas[4407]: daemon_main('OSPD - openvas', OSPDopenvas, NotusParser())
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd/main.py", line 164, in main
Sep 06 18:34:57 hostname ospd-openvas[4407]: daemon.init(server)
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/daemon.py", line 524, in init
Sep 06 18:34:57 hostname ospd-openvas[4407]: self.update_vts()
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/daemon.py", line 649, in update_vts
Sep 06 18:34:57 hostname ospd-openvas[4407]: self.nvti.notus.reload_cache()
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/notus.py", line 119, in reload_cache
Sep 06 18:34:57 hostname ospd-openvas[4407]: if self._verifier(f):
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/gpg_sha_verifier.py", line 121, in verify
Sep 06 18:34:57 hostname ospd-openvas[4407]: assumed_name = sha256sums().get(hash_sum)
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/gpg_sha_verifier.py", line 63, in internal_reload
Sep 06 18:34:57 hostname ospd-openvas[4407]: return config.on_verification_failure(None)
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd_openvas/notus.py", line 50, in on_hash_sum_verification_failure
Sep 06 18:34:57 hostname ospd-openvas[4407]: raise Exception("GPG verification of notus sha256sums failed")
Sep 06 18:34:57 hostname ospd-openvas[4407]: Exception: GPG verification of notus sha256sums failed
Sep 06 18:34:57 hostname ospd-openvas[4407]: Exception ignored in atexit callback: <function exit_cleanup at 0x7f5245740310>
Sep 06 18:34:57 hostname ospd-openvas[4407]: Traceback (most recent call last):
Sep 06 18:34:57 hostname ospd-openvas[4407]: File "/usr/lib/python3.10/site-packages/ospd/main.py", line 86, in exit_cleanup
Sep 06 18:34:57 hostname ospd-openvas[4407]: sys.exit()
Sep 06 18:34:57 hostname ospd-openvas[4407]: SystemExit:
Sep 06 18:34:57 hostname systemd[1]: ospd-openvas.service: Main process exited, code=exited, status=1/FAILURE
Sep 06 18:34:57 hostname systemd[1]: ospd-openvas.service: Failed with result 'exit-code'.
```
### Steps to reproduce
1. upgrade ospd-openvas from the previously working 22.4.0 to 22.4.2
2. start service
3. run into error
### GVM versions
**gsa:** Greenbone Security Assistant 22.04.0
**gvm:** Greenbone Vulnerability Manager 22.4.0~dev1 (<- note: ~dev1 was somehow introduced between tag 22.4 and the actual release tag 22.4.0 with the change to PROJECT_DEV_VERSION 1 in CMakeLists.txt: https://github.com/greenbone/gvmd/compare/v22.4...v22.4.0)
Manager DB revision 250
**openvas-scanner:** OpenVAS 22.4.0
**gvm-libs:** gvm-libs 22.4.0
### Environment
**Operating system:** Exherbo Linux
**Installation method / source:** source-based packages
### Logfiles
/var/log/gvm/ospd-openvas.log
```
OSPD[14136] 2022-09-06 16:52:33,999: INFO: (ospd.main) Starting OSPd OpenVAS version 22.4.2.
OSPD[14136] 2022-09-06 16:52:34,007: WARNING: (ospd_openvas.messaging.mqtt) Could not connect to MQTT broker, error was: [Errno 111] Connection refused. Trying again in 10s.
OSPD[14136] 2022-09-06 16:52:44,020: WARNING: (ospd_openvas.messaging.mqtt) Could not connect to MQTT broker, error was: [Errno 111] Connection refused. Trying again in 10s.
OSPD[14136] 2022-09-06 16:52:44,054: INFO: (ospd_openvas.daemon) Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait...
OSPD[14136] 2022-09-06 16:52:44,242: WARNING: (gnupg) potential problem: ERROR: add_keyblock_resource 33587201
OSPD[14136] 2022-09-06 16:52:44,243: WARNING: (gnupg) potential problem: ERROR: keydb_search 33554445
OSPD[14136] 2022-09-06 16:52:44,243: WARNING: (gnupg) potential problem: ERROR: keydb_search 33554445
OSPD[14136] 2022-09-06 16:52:44,243: WARNING: (gnupg) gpg returned a non-zero error code: 2
OSPD[14136] 2022-09-06 16:52:44,252: INFO: (ospd.main) Shutting-down server ...
```
Note for the MQTT broker WARNING: I've not yet setup MQTT & packaged notus-scanner, so I already had that warning with 22.4.0 previously as well of course.
Additional information:
```
# ls -la /var/lib/notus/advisories
insgesamt 46828
drwxrwxr-x 2 gvm gvm 4096 6. Sep 12:42 .
drwxrwxr-x 4 gvm gvm 4096 6. Sep 12:42 ..
-rw-rw-r-- 1 gvm gvm 14294650 6. Sep 06:38 euleros.notus
-rw-rw-r-- 1 gvm gvm 9050712 6. Sep 06:38 mageia.notus
-rw-rw-r-- 1 gvm gvm 318 6. Sep 06:38 sha256sums
-rw-rw-r-- 1 gvm gvm 833 6. Sep 06:38 sha256sums.asc
-rw-rw-r-- 1 gvm gvm 2522789 6. Sep 06:38 slackware.notus
-rw-rw-r-- 1 gvm gvm 22062329 6. Sep 06:38 suse.notus
```
```
# ls -la /var/lib/gvm/gvmd/gnupg
insgesamt 32
drwx------ 4 gvm gvm 4096 6. Sep 18:56 .
drwxr-xr-x 4 gvm gvm 4096 6. Sep 17:35 ..
drwx------ 2 gvm gvm 4096 21. Okt 2019 openpgp-revocs.d
drwx------ 2 gvm gvm 4096 21. Okt 2019 private-keys-v1.d
-rw------- 1 gvm gvm 818 21. Okt 2019 pubring.kbx
-rw------- 1 gvm gvm 32 21. Okt 2019 pubring.kbx~
-rw------- 1 gvm gvm 600 6. Sep 18:56 random_seed
-rw------- 1 gvm gvm 1280 21. Okt 2019 trustdb.gpg
```
```
# cat /etc/gvm/ospd-openvas.conf
[OSPD - openvas]
log_level = INFO
socket_mode = 0o770
unix_socket = /run/ospd/ospd-openvas.sock
pid_file = /run/ospd/ospd-openvas.pid
log_file = /var/log/gvm/ospd-openvas.log
lock_file_dir = /run/ospd
```
I also tried adding `notus-feed-dir = /var/lib/notus/advisories` to the `ospd-openvas.conf` as I've seen it's also passed in your systemd file suggestion at https://greenbone.github.io/docs/latest/22.4/source-build/index.html#setting-up-services-for-systemd but it didn't make any difference.
greenbone:main
← greenbone:ignore-gpg-failure
opened 08:52AM - 08 Sep 22 UTC
When gpg verification on sha256sums for notus advisories fails it is
printing a … warning instead of crashing ospd-openvas.
This changes the behaviour mentioned in https://github.com/greenbone/ospd-openvas/issues/765
I had this problem on a new install a month ago. OSPD would constantly fail due to: “WARNING: (gnupg) gpg returned a non-zero error code: 2”
I found a hacky way to disable hash vertification in ospd. Everything got working.
Started a new install yesterday and came to the same problem. Except this time I picked up the changes by ospd linked above. Effectively more broken this time, and my hack change was applicable anymore.
My fix was to roll back ospd version to before this change and then do the hacky change.
/usr/local/lib/python3.9/dist-packages/ospd_openvas#
Nano daemon.py
def hashsum_verificator(
……..
sums = reload_sha256sums(sha_sum_reload_config)
return lambda _: True
# return create_verify(sums)
It’s bad, but it works!
bricks
September 22, 2022, 3:16pm
5
You are aware that there is a runtime argument to disable the hashsum verification?
I am, there is in fact a hard coded option in ospd as well. Neither work.