search

freight-team / freight

A modern take on the Debian archive.
Other
107 stars 37 forks source link

Maybe issue with Ubuntu 22.04 signed Release "provides only weak security information" #125

Closed ppoilbarbe closed 2 years ago

ppoilbarbe commented 2 years ago

I am making an Ansible set of roles for migrating all our HPC and Desktop computers from Ubuntu Xenial (16.04) to Ubuntu Jammy (22.04). I built the roles with the version 21.10 as a basis for tests until the 22.04 was released. It was working well on my test PCs. Now, 22.04 is released and I tried to redo the same in order to check that there is no regression. We have a repository built with Freight which was working well until now (and with 21.10 too). With the version of apt-get (2.4.5) included with Ubuntu 22.04, I now have an error with the following message:

W: No Hash entry in Release file /var/lib/apt/lists/partial/packages.server.fr_apt_dists_jammy_InRelease
E: The repository 'http://packages.server.fr/apt jammy InRelease' provides only weak security information.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Is there something wrong in the way I build the repository ? (I do freight add then freight cache, as supposed to be done)

I tried to define GPG_DIGEST_ALGO=SHA256 in conf file (and recache all), but after digging in the code, it seems to be the default one.

Here is my freight.conf file:

#
# Freight configuration file.
# File managed by CHEF!!! DO NOT MODIFY BY HAND

# Directories for the Freight library and Freight cache.  Your web
# server's document root should be `$VARCACHE`.
VARLIB="/data/APP_REPOSITORY/repository-ubuntu/repo_dir/lib"
VARCACHE="/data/APP_REPOSITORY/repository-ubuntu/repo_dir/apt"

# Default `Origin` and `Label` fields for `Release` files.
ORIGIN="XXXX"
LABEL="XXXX"
#SUITE="XXXX"

# Which architectures are supported
ARCHS="amd64 source"

# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="on"

# GPG key to use to sign repositories.  This is required by the `apt`
# repository provider.  Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
GPG="our-key@in-gpg-ring"
# GPG_DIGEST_ALGO=SHA256

# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"

NOTE: The repository is built and served on a node running Ubuntu 16.04 (GPG 1.4.20, apt-get 1.2.35)

ppoilbarbe commented 2 years ago

Oops... My fault.... The repository for 22.04 is new and I forgot to put a dummy package to not have an empty repository. Because it (freight or apt, I don't know) does not like.