Anonymous | Login | 2024-04-27 00:33 CEST |
Main | My View | View Issues | Change Log | Wiki | Tavern | News |
Viewing Issue Simple Details [ Jump to Notes ] [ Wiki ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||||||
0011028 | [DCSS] Bug Report | minor | always | 2017-04-21 17:27 | 2017-05-17 05:54 | ||||||||
Reporter | BugRobin | View Status | public | ||||||||||
Assigned To | PleasingFungus | ||||||||||||
Priority | normal | Resolution | duplicate | ||||||||||
Status | resolved | Product Branch | 0.19 ancient branch | ||||||||||
Summary | 0011028: Need to re-sign Debian repository with a new key: SHA-1 is no longer accepted | ||||||||||||
Description |
$ cat /etc/issue Debian GNU/Linux 9 \n \l $ uname -r 4.9.0-2-amd64 $ cat /etc/apt/sources.list.d/crawl.list deb https://crawl.develz.org/debian [^] crawl 0.19 $ apt-key list [...] pub rsa2048 2011-04-26 [SC] 115A 1FFD 4970 F673 27E4 CAB0 ABD5 C2C3 C965 A6F4 uid [ unknown] CDO Crawl Repository <crawl@crawl.develz.org> sub rsa2048 2011-04-26 [E] [...] $ sudo apt update [...] Get:3 https://crawl.develz.org/debian [^] crawl InRelease [39.4 kB] Err:3 https://crawl.develz.org/debian [^] crawl InRelease The following signatures were invalid: 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 Reading package lists... Done W: GPG error: https://crawl.develz.org/debian [^] crawl InRelease: The following signatures were invalid : 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 E: The repository 'https://crawl.develz.org/debian [^] crawl InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. |
||||||||||||
Additional Information | |||||||||||||
Tags | No tags attached. | ||||||||||||
Attached Files | |||||||||||||
|
Relationships | ||||||
|
Notes | |
(0031606) BugRobin (reporter) 2017-04-21 18:12 |
Not sure if this can be useful but here's my attempt to manually verify the signature of the Release file:$ ls crawl-key.gpg InRelease pubkey Release Release.gpg $ gpg --import pubkey gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key ABD5C2C3C965A6F4: public key "CDO Crawl Repository <crawl@crawl.develz.org>" ; imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --verify InRelease gpg: Signature made Wed 01 Mar 2017 06:58:04 PM UTC gpg: using RSA key ABD5C2C3C965A6F4 gpg: Good signature from "CDO Crawl Repository <crawl@crawl.develz.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 115A 1FFD 4970 F673 27E4 CAB0 ABD5 C2C3 C965 A6F4 $ gpg --verify Release.gpg Release gpg: Signature made Wed 01 Mar 2017 06:58:04 PM UTC gpg: using RSA key ABD5C2C3C965A6F4 gpg: Good signature from "CDO Crawl Repository <crawl@crawl.develz.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 115A 1FFD 4970 F673 27E4 CAB0 ABD5 C2C3 C965 A6F4 |
(0031607) BugRobin (reporter) 2017-04-21 18:37 edited on: 2017-04-21 18:45 |
Verbose apt-get update:$ apt-get -o "Debug::Acquire::gpgv=true" update [...] Read: [GNUPG:] NEWSIG Read: [GNUPG:] KEY_CONSIDERED 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 0 Read: [GNUPG:] SIG_ID htEAFJ6LHinQ+G5byY3j5EZXjVE 2017-03-01 1488394684 Read: [GNUPG:] KEY_CONSIDERED 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 0 Read: [GNUPG:] GOODSIG ABD5C2C3C965A6F4 CDO Crawl Repository <crawl@crawl.develz.org> Got GOODSIG ABD5C2C3C965A6F4 ! Read: [GNUPG:] VALIDSIG 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 2017-03-01 1488394684 0 4 0 1 2 01 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 Got untrusted VALIDSIG, key ID: 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4 gpgv exited with status 0 Summary: Good: Bad: Worthless: 115A1FFD4970F67327E4CAB0ABD5C2C3C965A6F4, SoonWorthless: NoPubKey: NODATA: no See: https://github.com/Debian/apt/blob/47e53fe58e28dc1a2fa0098c6705f380f37f5902/methods/gpgv.cc#L225-L233 [^] |
(0031608) BugRobin (reporter) 2017-04-21 18:53 |
OK it seems that the digest used to sign the Release file (SHA1) is not trusted anymore, hence the error: https://github.com/Debian/apt/blob/47e53fe58e28dc1a2fa0098c6705f380f37f5902/methods/gpgv.cc#L68-L71 [^] |
(0031646) Argen77ino (reporter) 2017-05-14 19:13 |
I report the same thing https://crawl.develz.org/mantis/view.php?id=10447 [^] |
Issue History | |||
Date Modified | Username | Field | Change |
2017-04-21 17:27 | BugRobin | New Issue | |
2017-04-21 18:12 | BugRobin | Note Added: 0031606 | |
2017-04-21 18:37 | BugRobin | Note Added: 0031607 | |
2017-04-21 18:45 | BugRobin | Note Edited: 0031607 | |
2017-04-21 18:53 | BugRobin | Note Added: 0031608 | |
2017-04-21 19:11 | neil | Summary | The repository 'https://crawl.develz.org/debian [^] crawl InRelease' is not signed. => Need to re-sign Debian repository with a new key: SHA-1 is no longer accepted |
2017-05-14 19:13 | Argen77ino | Note Added: 0031646 | |
2017-05-17 05:54 | PleasingFungus | Relationship added | duplicate of 0010447 |
2017-05-17 05:54 | PleasingFungus | Duplicate ID | 0 => 10447 |
2017-05-17 05:54 | PleasingFungus | Status | new => resolved |
2017-05-17 05:54 | PleasingFungus | Fixed in Branch | => 0.20 development branch |
2017-05-17 05:54 | PleasingFungus | Resolution | open => duplicate |
2017-05-17 05:54 | PleasingFungus | Assigned To | => PleasingFungus |
Mantis 1.1.8[^] Copyright © 2000 - 2009 Mantis Group |