Bug#667699: apt: Apt GPG errors with HTTPS requests including Range headers
Package: apt
Version: 0.8.10.3+squeeze1
Severity: normal
Hello, my new repository served over HTTPS with Lighttpd ocassionally
causes the following errors on apt-get update, when the Release file
changes.
W: Bizarre Error - File size is not what the server reported 9106 6071
W: GPG error: https://deb.domain.com squeeze Release: The
following signatures were invalid: BADSIG ABC11270D6652B36
Domain Inc. (packages) <deb@deb.domain.com>
At first I believed it to be a problem when a 304 is returned for
Release, so I have ensured Last-Modified is unset and Cache-Control
forces no caching, as well as using the following on the APT side
Acquire::https::No-Cache "true"; Acquire::https::Max-Age "0";
Other bug reports I found indicated this may be the cause.
However after 2 days problem was back, so I kept debugging and found
hope in the report #646381 which indicated APT sends a mailformed header
including an erroneous \r\n.
Since a fix entered experimental only I patched https.cc and rebuilt
apt-transport-https:
// // if we have the file send an if-range query with a range header
// if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
// {
// char Buf[1000];
// sprintf(Buf,"Range: bytes=%li-\r\nIf-Range: %s\r\n",
// (long)SBuf.st_size - 1,
// TimeRFC1123(SBuf.st_mtime).c_str());
// headers = curl_slist_append(headers, Buf);
// }
//
// if we have the file send an if-range query with a range header
if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0)
{
char Buf[1000];
sprintf(Buf, "Range: bytes=%li-", (long) SBuf.st_size - 1);
headers = curl_slist_append(headers, Buf);
sprintf(Buf, "If-Range: %s", TimeRFC1123(SBuf.st_mtime).c_str());
headers = curl_slist_append(headers, Buf);
}
But my issue repeats, I'm out of ideas, and my associates don't know
weather to trust my repository or not. Attached to the e-mail you will
find output of:
apt-get -o Debug::Acquire::https=true -o Debug::Acquire::gpgv=true -o Debug::pkgAcquire::Auth=true update
...including all headers sent and received on Release GET.
Here are the relevant contents of /var/lib/apt/lists while the issue is
repeating:
ls -al /var/lib/apt/lists/
-rw-r--r-- 1 root root 18868 Apr 5 15:51 deb.domain.com_dists_squeeze_main_binary-amd64_Packages
-rw-r--r-- 1 root root 14667 Apr 5 15:51 deb.domain.com_dists_squeeze_main_source_Sources
-rw-r--r-- 1 root root 3036 Apr 5 15:51 deb.domain.com_dists_squeeze_Release
-rw-r--r-- 1 root root 835 Apr 5 15:51 deb.domain.com_dists_squeeze_Release.gpg
ls -al /var/lib/apt/lists/partial/
-rw-r--r-- 1 root root 0 Apr 5 15:38 deb.domain.com_dists_squeeze_main_i18n_Translation-en
-rw-r--r-- 1 root root 0 Apr 5 15:38 deb.domain.com_dists_squeeze_main_i18n_Translation-en%5fUS
-rw-r--r-- 1 root root 36425 Apr 5 17:28 deb.domain.com_dists_squeeze_Release
-rw-r--r-- 1 root root 835 Apr 5 17:28 deb.domain.com_dists_squeeze_Release.gpg
These servers are up to date Debian Squeeze 6.0.4.
Thank you.
* About to connect() to deb.domain.com port 443 (#0)
* Trying 111.111.111.111... * connected
* Connected to deb.domain.com (111.111.111.111) port 443 (#0)
* found 141 certificates in /etc/ssl/certs/ca-certificates.crt
* SSL re-using session ID
* server certificate verification OK
* common name: *.domain.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: serialNumber=ad6c57sfKqXkXIhW0z7vi8OkT/Z62ORi,C=US,ST=NewYork,L=NewYork,O=Domain Inc\, Inc.,OU=SSL Services,CN=*.domain.com
* start date: Wed, 15 Feb 2012 15:54:10 GMT
* expire date: Tue, 19 Mar 2013 00:17:25 GMT
* issuer: C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA
* compression: NULL
* cipher: AES-128-CBC
* MAC: SHA1
> GET /dists/squeeze/Release HTTP/1.1
Host: deb.domain.com
Accept: */*
Cache-Control: no-cache
Pragma: no-cache
Range: bytes=6074-
If-Range: Thu, 05 Apr 2012 21:04:57 GMT
< HTTP/1.1 200 OK
< Last-Modified:
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< Content-Length: 3036
< Date: Thu, 05 Apr 2012 21:05:16 GMT
< Server: Domain Inc.
<
Get:2 https://deb.domain.com squeeze Release [3,036 B]
* Connection #0 to host deb.domain.com left intact
Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release.gpg,/var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release)
inside VerifyGetSigners
gpgv path: /usr/bin/gpgv
Keyring file: /etc/apt/trusted.gpg
Keyring path: /etc/apt/trusted.gpg.d/
Preparing to exec: /usr/bin/gpgv /usr/bin/gpgv --ignore-time-conflict --status-fd 3 --keyring /etc/apt/trusted.gpg /var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release.gpg /var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release
Read: [GNUPG:] BADSIG ABC11270D6652B36 Domain Inc. (packages) <domain@deb.domain.com>
Got BADSIG!
gpgv exited
Err https://deb.domain.com squeeze Release
Fetched 9,945 B in 2s (4,595 B/s)
Reading package lists...
W: Bizarre Error - File size is not what the server reported 9110 6075
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.domain.com squeeze Release: The following signatures were invalid: BADSIG ABC11270D6652B36 Domain Inc. (packages) <domain@deb.domain.com>
W: Failed to fetch https://deb.domain.com/dists/squeeze/Release
W: Some index files failed to download, they have been ignored, or old ones used instead.
Reply to: