Bug#703404: more infos

To: 703404@bugs.debian.org
Subject: Bug#703404: more infos
From: Jens Stimpfle <debian@jstimpfle.de>
Date: Wed, 20 Mar 2013 14:30:30 +0100
Message-id: <20130320133030.GA3971@jstimpfle.de>
Reply-to: Jens Stimpfle <debian@jstimpfle.de>, 703404@bugs.debian.org

I'm not a debian-installer expert, but these observations might very
well help to resolve the issue:

- PXE boot with current installer (no additional boot args whatsoever)
  mine is wheezy amd64
    linux md5sum: dbd20c0b342e9a25747fb6a02d58f47b
    initrd.gz md5sum: ef5ccd9303d785db46b33e8cc3b150ce
- "Normal" interactive install (I chose ftp.de.debian.org as mirror)
- Continue until busybox fails to install (the problem apparent in
  syslog is failure to authenticate the mirror)
- Now my observations on VT2:

The Release and Release.gpg downloaded from the selected mirror are in
/target/var/lib/apt/lists, and /target/var/lib/apt/lists/partial,
respectively. Oddly, the Release file is the text file from
ftp.de.debian.org/debian/dists/wheezy/Release, *but with integrated PGP
signature added*. I don't know at what stage this got added, but it is
clear that the verification has to fail (because the Release.gpg signs
the ungarbled Release file, not one with its own signature added).

$ chroot /target apt-get -o 'Debug::Acquire::gpgv' update
inside VerifyGetSigners
gpgv path: /usr/bin/gpgv
Keyring file: /etc/apt/trusted.gpg
Keyring path: /etc/apt/trusted.gpg.d/
Preparing to exec: /usr/bin/gpgv /usr/bin/gpgv --ignore-time-conflict --status-fd 3 --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg --ignore-time-conflict /var/lib/apt/lists/partial/ftp.de.debian.org_debian_dists_wheezy_Release.gpg /var/lib/apt/lists/ftp.de.debian.org_debian_dists_wheezy_Release
Read: [GNUPG:] BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
Got BADSIG! 
gpgv exited
W: GPG error: http://ftp.de.debian.org wheezy Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

>From the above output, we see that the aforementioned Release and
Release.gpg are used to verify the mirror. But the local Release file
(which as some point was changed to be different than the one on the
mirror), as mentioned, is not the one which the Release.gpg signs.

By doing the following at the right point(s?), I have already managed to
get a working installation:
$ rm /target/var/lib/apt/lists/ftp.de.debian.org_debian_dists_wheezy_Release
$ chroot /target apt-get update  # Shouldn't fail anymore with BADSIG.

Clearly this is nothing to add to the installer scripts, but I guess it
might help towards detecting the problem.


Have a nice day
Jens Stimpfle

Reply to:

Follow-Ups:
- Re: Bug#703404: more infos
  - From: Tycho Lürsen <tycholursen@gmail.com>

Prev by Date: Re: Torrents
Next by Date: Re: Listing the "Debian Installer internals" manual on http://www.debian.org/doc/devel-manuals ?
Previous by thread: Bug#703404: more infos
Next by thread: Re: Bug#703404: more infos
Index(es):
- Date
- Thread