Comments (18)
No problem. I installed your new key and tried again to apt update and install libapp-templer-perl. There was no trouble over the signature and it installed fine.
Thanks!
from templer.
The GPG issue reminds me of this previous bug:
Would you mind playing along and trying a manual-verification?
As for building for stretch, yes that's a great idea. I should have some time to do that tomorrow.
from templer.
If I did this right, the manual verification worked...
$ wget http://packages.steve.org.uk/templer/jessie/Release.gpg
URL transformed to HTTPS due to an HSTS policy
--2018-02-05 17:35:20-- https://packages.steve.org.uk/templer/jessie/Release.gpg
Resolving packages.steve.org.uk (packages.steve.org.uk)... 176.9.183.100, 2a01:4f8:151:6083::100
Connecting to packages.steve.org.uk (packages.steve.org.uk)|176.9.183.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 181 [text/plain]
Saving to: ‘Release.gpg’
Release.gpg 100%[======================>] 181 --.-KB/s in 0s
2018-02-05 17:35:21 (84.3 MB/s) - ‘Release.gpg’ saved [181/181]
$ wget http://packages.steve.org.uk/templer/jessie/Release
URL transformed to HTTPS due to an HSTS policy
--2018-02-05 17:35:27-- https://packages.steve.org.uk/templer/jessie/Release
Resolving packages.steve.org.uk (packages.steve.org.uk)... 176.9.183.100, 2a01:4f8:151:6083::100
Connecting to packages.steve.org.uk (packages.steve.org.uk)|176.9.183.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 347 [application/octet-stream]
Saving to: ‘Release’
Release 100%[======================>] 347 --.-KB/s in 0s
2018-02-05 17:35:27 (5.90 MB/s) - ‘Release’ saved [347/347]
$ ls
Release Release.gpg
$
$
$ gpg --keyring=/etc/apt/trusted.gpg --verify Release.gpg Release
gpg: Signature made Sun 10 Jul 2016 11:31:51 BST
gpg: using DSA key 0xF3E8C641DC2698A1
gpg: Good signature from "steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3661 9DAA B8E8 3147 1BB1 A3EF F3E8 C641 DC26 98A1
$
Is it apt just being annoying?
from templer.
Just noticed that apt-get produces a longer message, so in case that helps -
# apt-get update
Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
Ign:2 http://mirror.bytemark.co.uk/debian stretch InRelease
Hit:3 http://mirror.bytemark.co.uk/debian stretch-updates InRelease
Hit:4 http://mirror.bytemark.co.uk/debian stretch Release
Ign:6 http://packages.steve.org.uk/templer/jessie ./ InRelease
Get:7 http://packages.steve.org.uk/templer/jessie ./ Release [347 B]
Get:8 http://packages.steve.org.uk/templer/jessie ./ Release.gpg [181 B]
Ign:8 http://packages.steve.org.uk/templer/jessie ./ Release.gpg
Hit:9 http://packages.steve.org.uk/templer/jessie ./ Packages
Fetched 528 B in 1s (502 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/jessie ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/jessie ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: No Hash entry in Release file /var/lib/apt/lists/partial/packages.steve.org.uk_templer_jessie_._Release which is considered strong enough for security purposes
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/partial/packages.steve.org.uk_templer_jessie_._Release
from templer.
These seem to be the important errors:
W: No Hash entry in Release file .. which is considered strong enough for security purposes
W: Invalid 'Date' entry in Release file .. Release
I'm not sure what to make of them right now, but in the interim I have released a stretch package:
No doubt that will also show the same problem :(
from templer.
I found an issue which describes the missing fields for the Release` file, so I've made a mass-update. I hope that now resolves the apt-problem.
from templer.
The message about the date has gone away but sadly it still doesn't like the signature,
# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [425 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Ign:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg
Fetched 645 B in 0s (948 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/stretch ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: No Hash entry in Release file /var/lib/apt/lists/packages.steve.org.uk_templer_stretch_._Release which is considered strong enough for security purposes
(I removed my other apt sources to shorten this a bit.)
from templer.
The error "No Hash entry in Release file .." is one that I think I've fixed too now, hopefully this should be sufficient:
apt-get clean
apt-get update
(I appreciate your patience.)
from templer.
It grieves me to say it still doesn't like it, though it's now missing the bit about a hash,
# apt-get clean
# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [987 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Ign:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg
Fetched 1,207 B in 0s (1,925 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/stretch ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
(I appreciate your patience.)
Not at all, thank you for looking into this.
from templer.
So to recap:
- We've fixed the bit about the Date-header.
- We've fixed the bit about the hash.
- The outstanding problem is that the release-file signature isn't validating.
I think that the next thing to double-check is that you have the key imported. I'd expect apt-key list
to include it:
# apt-key list
pub dsa1024 2006-02-23 [SC]
3661 9DAA B8E8 3147 1BB1 A3EF F3E8 C641 DC26 98A1
uid [ unknown] steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>
sub elg2048 2006-02-23 [E]
If that is missing then that explains it - add it :) - If it is present then I'm a bit confused why apt-get isn't using it.
from templer.
I do seem to have that key, with the same output as yours except for a file name and dashes -
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub dsa1024 2006-02-23 [SC]
3661 9DAA B8E8 3147 1BB1 A3EF F3E8 C641 DC26 98A1
uid [ unknown] steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>
sub elg2048 2006-02-23 [E]
[... other keys snipped ...]
Perhaps my installation is flawed somehow, if it works anywhere else. I think I can try on another computer and if so will report what I find.
from templer.
I think I've found out the problem! The hash-stuff was basically complaining about sha1, so I've changed the signature to use sha512 which I think should resolve this.
from templer.
Well, I get a different error :-)
# apt-get clean
# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [987 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Fetched 1,207 B in 0s (1,747 B/s)
Reading package lists... Done
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' provides only weak security information.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I've tried on another 'stretch' computer and it shows the same message. HTH.
from templer.
Yeah I think I've hit an impasse here, I suspect the issue now is that the signing key is too old/weak - as it is a 1024 bit DSA key from 2006.
I'll test creating a new key, and transitioning to it, but it'll take me a day or two and it'll be a real pain for everybody involved :(
from templer.
Since the output is prefixed by W:
I think it is just a warning though, so package installation should succeed.
from templer.
I put all my sources back and tried it, it looks like it will work if I say 'y' to this,
WARNING: The following packages cannot be authenticated!
libapp-templer-perl
Install these packages without verification? [y/N]
I'd prefer to try it with your new key if you're still intending to do that, there's no rush for me. Thanks.
from templer.
I'd prefer to try it with your new key if you're still intending to do that, there's no rush for me. Thanks.
Give me a couple of days and I'll have a new key.
from templer.
Sorry this took a bit longer than expected! I've now updated all my Debian-package repositories, with a new key:
Hopefully you should now be safe to install from:
from templer.
Related Issues (19)
- `templer --manual` is broken.
- As Bruno said the code structure is confusing at times.
- Variables not replaced with correct value HOT 7
- File inclusion should have a search path.
- The file-hash plugin is bogus.
- Need a straightforward installation process. HOT 9
- Undeclared dependency on Test::Exception
- .htaccess files are not processed HOT 3
- Installation from CPAN fails HOT 3
- Output filename should come from the page. HOT 1
- `make standalone` is broken.
- Update our plugin-handlers.
- Extending the file pattern example HOT 3
- FileGlob makes content available as `content`.
- Pod::Find dependency not listed HOT 2
- We shouldn't only run from the top-level directory. HOT 1
- When using include files we don't rebuild if they change.
- It isn't possible to auto-generate pages / create virtual pages. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from templer.