I attempted to follow the instructions at <a href="https://packages.steve.org.uk/templ

The GPG issue reminds me of this previous bug: <a href="https:

If I did this right, the manual verification worked... <div class="snippet-clipboa

These seem to be the important errors: <code class="notranslat

So to recap: We've fixed the bit about the Date-header. <

Release signature invalid about templer HOT 18 CLOSED

skx commented on June 17, 2024

Release signature invalid

from templer.

Comments (18)

gh-4 commented on June 17, 2024 1

No problem. I installed your new key and tried again to apt update and install libapp-templer-perl. There was no trouble over the signature and it installed fine.

Thanks!

from templer.

skx commented on June 17, 2024

The GPG issue reminds me of this previous bug:

https://github.com/skx/pwsafe.dead/issues/2

Would you mind playing along and trying a manual-verification?

As for building for stretch, yes that's a great idea. I should have some time to do that tomorrow.

from templer.

gh-4 commented on June 17, 2024

If I did this right, the manual verification worked...

$ wget http://packages.steve.org.uk/templer/jessie/Release.gpg
URL transformed to HTTPS due to an HSTS policy
--2018-02-05 17:35:20--  https://packages.steve.org.uk/templer/jessie/Release.gpg
Resolving packages.steve.org.uk (packages.steve.org.uk)... 176.9.183.100, 2a01:4f8:151:6083::100
Connecting to packages.steve.org.uk (packages.steve.org.uk)|176.9.183.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 181 [text/plain]
Saving to: ‘Release.gpg’

Release.gpg           100%[======================>]     181  --.-KB/s    in 0s      

2018-02-05 17:35:21 (84.3 MB/s) - ‘Release.gpg’ saved [181/181]

$ wget http://packages.steve.org.uk/templer/jessie/Release
URL transformed to HTTPS due to an HSTS policy
--2018-02-05 17:35:27--  https://packages.steve.org.uk/templer/jessie/Release
Resolving packages.steve.org.uk (packages.steve.org.uk)... 176.9.183.100, 2a01:4f8:151:6083::100
Connecting to packages.steve.org.uk (packages.steve.org.uk)|176.9.183.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 347 [application/octet-stream]
Saving to: ‘Release’

Release               100%[======================>]     347  --.-KB/s    in 0s      

2018-02-05 17:35:27 (5.90 MB/s) - ‘Release’ saved [347/347]

$ ls
Release  Release.gpg
$ 
$ 
$ gpg --keyring=/etc/apt/trusted.gpg --verify Release.gpg Release
gpg: Signature made Sun 10 Jul 2016 11:31:51 BST
gpg:                using DSA key 0xF3E8C641DC2698A1
gpg: Good signature from "steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3661 9DAA B8E8 3147 1BB1  A3EF F3E8 C641 DC26 98A1
$

Is it apt just being annoying?

from templer.

gh-4 commented on June 17, 2024

Just noticed that apt-get produces a longer message, so in case that helps -

# apt-get update
Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
Ign:2 http://mirror.bytemark.co.uk/debian stretch InRelease
Hit:3 http://mirror.bytemark.co.uk/debian stretch-updates InRelease
Hit:4 http://mirror.bytemark.co.uk/debian stretch Release
Ign:6 http://packages.steve.org.uk/templer/jessie ./ InRelease
Get:7 http://packages.steve.org.uk/templer/jessie ./ Release [347 B]
Get:8 http://packages.steve.org.uk/templer/jessie ./ Release.gpg [181 B]
Ign:8 http://packages.steve.org.uk/templer/jessie ./ Release.gpg
Hit:9 http://packages.steve.org.uk/templer/jessie ./ Packages
Fetched 528 B in 1s (502 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/jessie ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/jessie ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: No Hash entry in Release file /var/lib/apt/lists/partial/packages.steve.org.uk_templer_jessie_._Release which is considered strong enough for security purposes
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/partial/packages.steve.org.uk_templer_jessie_._Release

from templer.

skx commented on June 17, 2024

These seem to be the important errors:

W: No Hash entry in Release file .. which is considered strong enough for security purposes
W: Invalid 'Date' entry in Release file .. Release

I'm not sure what to make of them right now, but in the interim I have released a stretch package:

https://packages.steve.org.uk/templer/stretch/

No doubt that will also show the same problem :(

from templer.

skx commented on June 17, 2024

I found an issue which describes the missing fields for the Release` file, so I've made a mass-update. I hope that now resolves the apt-problem.

from templer.

gh-4 commented on June 17, 2024

The message about the date has gone away but sadly it still doesn't like the signature,

# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [425 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Ign:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg
Fetched 645 B in 0s (948 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/stretch ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: No Hash entry in Release file /var/lib/apt/lists/packages.steve.org.uk_templer_stretch_._Release which is considered strong enough for security purposes

(I removed my other apt sources to shorten this a bit.)

from templer.

skx commented on June 17, 2024

The error "No Hash entry in Release file .." is one that I think I've fixed too now, hopefully this should be sufficient:

  apt-get clean
  apt-get update

(I appreciate your patience.)

from templer.

gh-4 commented on June 17, 2024

It grieves me to say it still doesn't like it, though it's now missing the bit about a hash,

# apt-get clean
# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [987 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Ign:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg
Fetched 1,207 B in 0s (1,925 B/s)
Reading package lists... Done
W: GPG error: http://packages.steve.org.uk/templer/stretch ./ Release: The following signatures were invalid: 36619DAAB8E831471BB1A3EFF3E8C641DC2698A1
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

(I appreciate your patience.)

Not at all, thank you for looking into this.

from templer.

skx commented on June 17, 2024

So to recap:

We've fixed the bit about the Date-header.
We've fixed the bit about the hash.
The outstanding problem is that the release-file signature isn't validating.

I think that the next thing to double-check is that you have the key imported. I'd expect apt-key list to include it:

  # apt-key list
  pub   dsa1024 2006-02-23 [SC]
  3661 9DAA B8E8 3147 1BB1  A3EF F3E8 C641 DC26 98A1
  uid           [ unknown] steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>
  sub   elg2048 2006-02-23 [E]

If that is missing then that explains it - add it :) - If it is present then I'm a bit confused why apt-get isn't using it.

from templer.

gh-4 commented on June 17, 2024

I do seem to have that key, with the same output as yours except for a file name and dashes -

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   dsa1024 2006-02-23 [SC]
      3661 9DAA B8E8 3147 1BB1  A3EF F3E8 C641 DC26 98A1
uid           [ unknown] steve.org.uk APT key (This key is only used to sign the APT repository at http://www.steve.org.uk/apt/) <[email protected]>
sub   elg2048 2006-02-23 [E]
[... other keys snipped ...]

Perhaps my installation is flawed somehow, if it works anywhere else. I think I can try on another computer and if so will report what I find.

from templer.

skx commented on June 17, 2024

I think I've found out the problem! The hash-stuff was basically complaining about sha1, so I've changed the signature to use sha512 which I think should resolve this.

from templer.

gh-4 commented on June 17, 2024

Well, I get a different error :-)

# apt-get clean
# apt-get update
Ign:1 http://packages.steve.org.uk/templer/stretch ./ InRelease
Get:2 http://packages.steve.org.uk/templer/stretch ./ Release [987 B]
Get:3 http://packages.steve.org.uk/templer/stretch ./ Release.gpg [220 B]
Fetched 1,207 B in 0s (1,747 B/s)
Reading package lists... Done
W: The repository 'http://packages.steve.org.uk/templer/stretch ./ Release' provides only weak security information.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I've tried on another 'stretch' computer and it shows the same message. HTH.

from templer.

skx commented on June 17, 2024

Yeah I think I've hit an impasse here, I suspect the issue now is that the signing key is too old/weak - as it is a 1024 bit DSA key from 2006.

I'll test creating a new key, and transitioning to it, but it'll take me a day or two and it'll be a real pain for everybody involved :(

from templer.

skx commented on June 17, 2024

Since the output is prefixed by W: I think it is just a warning though, so package installation should succeed.

from templer.

gh-4 commented on June 17, 2024

I put all my sources back and tried it, it looks like it will work if I say 'y' to this,

WARNING: The following packages cannot be authenticated!
  libapp-templer-perl
Install these packages without verification? [y/N]

I'd prefer to try it with your new key if you're still intending to do that, there's no rush for me. Thanks.

from templer.

skx commented on June 17, 2024

I'd prefer to try it with your new key if you're still intending to do that, there's no rush for me. Thanks.

Give me a couple of days and I'll have a new key.

from templer.

skx commented on June 17, 2024

Sorry this took a bit longer than expected! I've now updated all my Debian-package repositories, with a new key:

https://packages.steve.org.uk/gpg/

Hopefully you should now be safe to install from:

https://packages.steve.org.uk/templer/

from templer.

Release signature invalid about templer HOT 18 CLOSED

Comments (18)

Related Issues (19)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs