[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#850839: apt: insufficient information about untrusted hash algorithm

Package: apt
Version: 1.4~beta2
Severity: wishlist

Hi, I have struggled a pretty long time trying to find out why Debian
stretch would complain about our private package repository, while it
works perfectly well on Debian jessie and below. The symptom was this:

# apt-get update
Hit:1 http://ftp.debian.xs4all.net/debian stretch InRelease
Hit:2 http://ftp.debian.xs4all.net/debian stretch-updates InRelease
Hit:3 http://security.debian.org stretch/updates InRelease                     
Get:4 https://dpkg.xs4all.net stretch InRelease [4061 B]                       
Err:4 https://dpkg.xs4all.net stretch InRelease         
  The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
Fetched 4061 B in 0s (7711 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dpkg.xs4all.net stretch InRelease: The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
W: Failed to fetch https://dpkg.xs4all.net/dists/stretch/InRelease  The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
W: Some index files failed to download. They have been ignored, or old ones used instead.

I first had to "apt-get update -o Debug::Acquire::gpgv=true" to find this:

Read: [GNUPG:] VALIDSIG D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741 2017-01-09 1483967529 0 4 0 1 2 01 D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
Got untrusted VALIDSIG, key ID: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
gpgv exited with status 0

And then I read gnupg/g10/mainproc.c and apt/methods/gpgv.cc
to find out that it is probably the SHA-1 digest algorithm apt
doesn't like, which led me to the relative simple fix found on
https://debian-administration.org/users/dkg/weblog/48

Please make it easier to debug this kind of problem, or better: make
apt just say what the problem is. When I later configured our private
repo on Ubuntu xenial, it just told me exactly what the problem was:

Reading package lists... Done
W: https://dpkg.xs4all.net/dists/xenial/InRelease: Signature by key D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741 uses weak digest algorithm (SHA1)


Regards,
Robert Scheer.


-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/preferences.d/puppet.pref present, but not submitted) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/debian.list present, but not submitted) --


-- (/etc/apt/sources.list.d/debian_security.list present, but not submitted) --


-- (/etc/apt/sources.list.d/debian_updates.list present, but not submitted) --


-- (/etc/apt/sources.list.d/xs4all.list present, but not submitted) --


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2014.3
ii  gpgv                    2.1.17-2
ii  init-system-helpers     1.46
ii  libapt-pkg5.0           1.4~beta2
ii  libc6                   2.24-8
ii  libgcc1                 1:6.2.1-5
ii  libstdc++6              6.2.1-5

Versions of packages apt recommends:
ii  gnupg  2.1.17-2

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.18.18
pn  powermgmt-base               <none>
pn  python-apt                   <none>

-- no debconf information
Reply to: