[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#456499: apt-transport-https: Errors with private repository and GPG keys

"None shall defy the authority of truth, and the evil of falsehood is to be fought with enlightened speculation." --Ibn Khaldun, Muqaddimah
 
Well, Peter, without a valid certificate signature, I do not trust you myself. It seems to me like you are attempting to create a Trojan Horse, and asking Cerberus to teach you to do it.
 
I have forwarded a blind carbon copy of your message to internal security experts within the Debian Project.
 
On 12/16/07, MLA (Peter Clark) <mla@forrussia.org> wrote:
Package: apt-transport-https
Version: 0.7.6ubuntu14
Severity: important

I've set up a private apt repository and signed my own packages with my own
key. Furthermore, on the client computers I installed apt-transport-https.
When I 'apt-get update', however, 50% of the time I get the following
warnings:

W: Bizarre Error - File size is not what the server reported 0 728
W: GPG error: https://packages.mydomain.org unstable Release: The following
signatures were invalid: BADSIG 6A3E7382C8A7B074 Peter Clark
< peter@mydomain.org>
W: You may want to run apt-get update to correct these problems

When I run 'apt-get update' again, these problems do disappear...only to
reappear the next time. So the error appears very consistently, 50% of the
time. When I change the relevant line in /etc/apt/sources.list from:

deb https://packages.mydomain.org unstable main

to:

deb http://packages.mydomain.org unstable main

everything works fine; no weird file sizes, no GPG errors. I therefore
interpret
this to mean that the repository and my GPG key are not the problem, which
leaves
apt-transport-https as the only remaining possibility.

Additional note: the SSL certificate served by mydomain.org is self-signed; I
don't know if that makes a difference or not.

-- System Information:
Debian Release: lenny/sid
APT prefers gutsy-updates
APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500, 'gutsy')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-14-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt-transport-https depends on:
ii  apt [libapt-pkg-libc6.6 0.7.6ubuntu14    Advanced front-end for dpkg
ii  libc6                   2.6.1-1ubuntu10  GNU C Library: Shared libraries
ii  libcurl3-gnutls         7.16.4-2ubuntu1  Multi-protocol file transfer
libra
ii  libgcc1                 1:4.2.1-5ubuntu4 GCC support library
ii  libstdc++6              4.2.1-5ubuntu4   The GNU Standard C++ Library v3

apt-transport-https recommends no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to deity-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Reply to: