Bug#456499: apt-transport-https: Errors with private repository and GPG keys

To: "MLA (Peter Clark)" <mla@forrussia.org>
Cc: 456499@bugs.debian.org
Subject: Bug#456499: apt-transport-https: Errors with private repository and GPG keys
From: Otavio Salvador <otavio@debian.org>
Date: Mon, 17 Dec 2007 19:55:34 -0200
Message-id: <[🔎] 87sl21x9yh.fsf@lab.ossystems.com.br>
Reply-to: Otavio Salvador <otavio@debian.org>, 456499@bugs.debian.org
In-reply-to: <[🔎] 200712172357.00099.mla@forrussia.org> (mla@forrussia.org's message of "Mon\, 17 Dec 2007 23\:56\:59 +0300")
References: <[🔎] 200712172357.00099.mla@forrussia.org>

"MLA (Peter Clark)" <mla@forrussia.org> writes:

> The thought struck me that maybe the problem was server-side, rather than 
> client-side, so I swapped out lighttpd for apache, and what do you know, the 
> error disappeared. Which is a pity, since apache is a bloated resource hog. I 
> still wasn't sure whether lighttpd or apt were to blame, so I dug farther.

You confirmed that it doesn't happen with http method but only with
https. This one uses libcurl as backend and looks to be a problem on
the library itself but I hadn't look the code to confirm it myself.

> Further discovery: When things work, 
> /var/lib/apt/lists/packages.mydomain.org_dists_unstable_Release 
> and
> /var/lib/apt/lists/packages.mydomain.org_dists_unstable_Release.gpg
> are 728 bytes and 191 bytes, respectively. However, the next time I run 
> apt-get, their file sizes are 0 and 381 bytes, respectively, and then 
> Release.gpg is deleted. Which is why the *next* times works again, because 
> Release.gpg is fetched anew. So now I understand why it works exactly 50% of 
> the time, but I still don't understand what's happening.

This is the statement that makes me unsure about if it's an apt bug or
curl ones.

> Here is what's odd; in the debug log for apt (running `apt-get -o 
> Debug::Acquire::https=true -o Debug::Acquire::gpgv=true update 2>apt.log`), I 
> noticed the following:
>
>> GET /dists/unstable/Release.gpg HTTP/1.1
> User-Agent: Debian APT-CURL/1.0 (0.7.6ubuntu14)
> Host: packages.mydomain.org
> Accept: */*
> Cache-Control: max-age=0
> Range: bytes=190-
> If-Range: Fri, 14 Dec 2007 09:51:25 GMT
>
> The "Range: bytes=190-" is what attracted my attention, since none of the 
> other GPG keys get that. 190 + 191 (the size of my Release.gpg file) = 381, 
> which is the same size as Release.gpg when apt doesn't work! So apparently, 
> rather than 
> overwrite /v/l/a/l/packages.mydomain.org_dists_unstable_Release.gpg, the same 
> file is being downloaded and appended to itself!
>
> So then I turned to the source: I'm pretty bad at reading C, but here's what I 
> believe to be the relevant portion of https.cc:
>
>    // if we have the file send an if-range query with a range header
>    if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
>    {
>       char Buf[1000];
>       sprintf(Buf,"Range: bytes=%li-\r\nIf-Range: %s\r\n",
>               (long)SBuf.st_size - 1,
>               TimeRFC1123(SBuf.st_mtime).c_str());
>       headers = curl_slist_append(headers, Buf);
>    }
>
> That's Greek to me, sorry. If someone can translate that into something 
> sensible, I would appreciate it. But in any case, I at least have a rough 
> understanding (correct me if I'm wrong) of what is happening:
> 1. The first time apt-get is run for a server using https, there is no copy of 
> Release.gpg cached, so when it is downloaded, it matches the size that server 
> gives (191 bytes) and it validates without a problem.
> 2. The second time apt-get is run, it downloads 190 bytes of Release.gpg and 
> *appends* this to the cached Release.gpg, which then of course fails to 
> validate. Release.gpg is then dutifully erased, since it is invalid.
> 3. There is no local copy of Release.gpg, so when apt-get is run for a third 
> time, the cycle repeats.
>
> I haven't looked at what's going on with Release (why it is 0 bytes), but I 
> suspect that if we solve the problem with Release.gpg, Release will likewise 
> be fixed.
>
> So who is to blame? Lighttpd or apt? Why, when apache is serving, are there no 
> such errors? 
>
> NB: What is probably not to blame: the self-signed certificate. I put a copy 
> of the server certificate in /etc/ssl/certs/ca-certificates.crt, and apt 
> happily accepts it without complaint.

Is your server public available running lighttpd? If it's, I can hack
it and check where the problem is and fix it for next upload.

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."

Reply to:

Follow-Ups:
- Bug#456499: apt-transport-https: Errors with private repository and GPG keys
  - From: Otavio Salvador <otavio@debian.org>

References:
- Bug#456499: apt-transport-https: Errors with private repository and GPG keys
  - From: "MLA (Peter Clark)" <mla@forrussia.org>

Prev by Date: Re: apt transition - please bump urgency of libept
Next by Date: Bug#456499: apt-transport-https: Errors with private repository and GPG keys
Previous by thread: Bug#456499: apt-transport-https: Errors with private repository and GPG keys
Next by thread: Bug#456499: apt-transport-https: Errors with private repository and GPG keys
Index(es):
- Date
- Thread