search

aptly-dev / aptly

aptly - Debian repository management tool
https://www.aptly.info/
MIT License
2.56k stars 374 forks source link

gpgv: keydb_search failed: invalid packet #822

Open fd98279 opened 5 years ago

fd98279 commented 5 years ago

gpgv: keydb_search failed: invalid packet

Detailed Description

Trying to run this command as per tutorial on Debian 10 (Worked on Ubuntu 18.04) . Fails with error: aptly mirror create -architectures=amd64 -keyring=trustedkeys.gpg -filter='Priority (required) | Priority (important) | Priority (standard)' stretch-main http://ftp.us.debian.org/debian/ stretch main Downloading http://ftp.us.debian.org/debian/dists/stretch/InRelease... Downloading http://ftp.us.debian.org/debian/dists/stretch/Release... Downloading http://ftp.us.debian.org/debian/dists/stretch/Release.gpg... gpgv: Signature made Sat 16 Feb 2019 10:57:48 AM UTC using RSA key ID 46925553 gpgv: [don't know]: invalid packet (ctb=00) gpgv: keydb_search failed: invalid packet gpgv: Can't check signature: public key not found gpgv: Signature made Sat 16 Feb 2019 10:57:48 AM UTC using RSA key ID 2B90D010 gpgv: [don't know]: invalid packet (ctb=00) gpgv: keydb_search failed: invalid packet gpgv: Can't check signature: public key not found gpgv: Signature made Sat 16 Feb 2019 11:04:31 AM UTC using RSA key ID 1A7B6500 gpgv: [don't know]: invalid packet (ctb=00) gpgv: keydb_search failed: invalid packet gpgv: Can't check signature: public key not found ERROR: unable to fetch mirror: verification of detached signature failed: exit status 2

I executed this command to add the public keys to the keyring (as suggested by the aptly mirror create command): gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 8B48AD6246925553 7638D0442B90D010 EF0F382A1A7B6500

Keys in my trustedkeys.gpg keyring: $ gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys ~/.gnupg/trustedkeys.gpg

pub rsa4096 2017-05-20 [SC] [expires: 2025-05-18] 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 uid [ unknown] Debian Stable Release Key (9/stretch) debian-release@lists.debian.org

pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19] 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 uid [ unknown] Debian Archive Automatic Signing Key (8/jessie) ftpmaster@debian.org

pub rsa4096 2012-04-27 [SC] [expires: 2020-04-25] A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 uid [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) ftpmaster@debian.org

Context

Possible Implementation

Your Environment

Debain 10

$ dpkg -l | grep gpg ii gpg 2.2.12-1 amd64 GNU Privacy Guard -- minimalist public key operations ii gpg-agent 2.2.12-1 amd64 GNU privacy guard - cryptographic agent ii gpg-wks-client 2.2.12-1 amd64 GNU privacy guard - Web Key Service client ii gpg-wks-server 2.2.12-1 amd64 GNU privacy guard - Web Key Service server ii gpgconf 2.2.12-1 amd64 GNU privacy guard - core configuration utilities ii gpgsm 2.2.12-1 amd64 GNU privacy guard - S/MIME version ii gpgv 2.2.12-1 amd64 GNU privacy guard - signature verification tool ii gpgv1 1.4.23-1 amd64 GNU privacy guard - signature verification tool (deprecated "classic" version) ii libgpg-error0:amd64 1.35-1 amd64 GnuPG development runtime library

vexingcodes commented 5 years ago

Saw the same error today. I got it to work by specifying gpg1 rather than gpg when running the key import command:

gpg1 --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 8B48AD6246925553 7638D0442B90D010 EF0F382A1A7B6500

I'm not sure this is the "right" thing to do, but it does cause the commands to succeed.

baby-gnu commented 5 years ago

Looks like it does not work with gpg2

mpas97 commented 5 years ago

I have the same issue. I've debugged a lot and here are my results:
If I run the command using internal as gpg provider aptly -keyring=trustedkeys.gpg -gpg-provider=internal mirror create
I get the following error:
openpgp: invalid data: tag byte does not have MSB set
So I looked for similar issues and I found this one.
As written there, a way to fix the issue is to export the keyring file again to have everything in the right format. My command:
gpg --no-default-keyring --keyring /root/.gnupg/trustedkeys.gpg --export --output /root/.gnupg/newkeyring.gpg
Running aptly -keyring=newkeyring.gpg mirror create works fine now.

But to the wrong format problem, this had to happen when we imported the keys like in
gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring /root/.gnupg/trustedkeys.gpg --import.
I retried the whole thing but using the > command (instead of gpg --import) to write the export directly into a file and surprise, the aptly mirror create works out of the box.
So use gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export > /root/.gnupg/trustedkeys.gpg at the beginning and you should be fine.