Bug#456499: apt-transport-https: Errors with private repository and GPG keys
"None shall defy the authority of truth, and the evil of falsehood is to be fought with enlightened speculation." --Ibn Khaldun, Muqaddimah
Well, Peter, without a valid certificate signature, I do not trust you myself. It seems to me like you are attempting to create a Trojan Horse, and asking Cerberus to teach you to do it.
I have forwarded a blind carbon copy of your message to internal security experts within the Debian Project.
On 12/16/07, MLA (Peter Clark) <mla@forrussia.org> wrote:
Package: apt-transport-https
Version: 0.7.6ubuntu14
Severity: important
I've set up a private apt repository and signed my own packages with my own
key. Furthermore, on the client computers I installed apt-transport-https.
When I 'apt-get update', however, 50% of the time I get the following
warnings:
W: Bizarre Error - File size is not what the server reported 0 728
W: GPG error: https://packages.mydomain.org unstable Release: The following
signatures were invalid: BADSIG 6A3E7382C8A7B074 Peter Clark
<
peter@mydomain.org>
W: You may want to run apt-get update to correct these problems
When I run 'apt-get update' again, these problems do disappear...only to
reappear the next time. So the error appears very consistently, 50% of the
time. When I change the relevant line in /etc/apt/sources.list from:
deb https://packages.mydomain.org unstable main
to:
deb
http://packages.mydomain.org unstable main
everything works fine; no weird file sizes, no GPG errors. I therefore
interpret
this to mean that the repository and my GPG key are not the problem, which
leaves
apt-transport-https as the only remaining possibility.
Additional note: the SSL certificate served by mydomain.org is self-signed; I
don't know if that makes a difference or not.
-- System Information:
Debian Release: lenny/sid
APT prefers gutsy-updates
APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500, 'gutsy')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-14-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt-transport-https depends on:
ii apt [libapt-pkg-libc6.6 0.7.6ubuntu14 Advanced front-end for dpkg
ii libc6 2.6.1-1ubuntu10 GNU C Library: Shared libraries
ii libcurl3-gnutls 7.16.4-2ubuntu1 Multi-protocol file transfer
libra
ii libgcc1 1:4.2.1-5ubuntu4 GCC support library
ii libstdc++6 4.2.1-5ubuntu4 The GNU Standard C++ Library v3
apt-transport-https recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to deity-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: