A4M5
commented
2 months ago I get the same error.
Closed trv-gunnar closed 2 months ago
A4M5
commented
2 months ago I get the same error.
sdherr
commented
2 months ago Thanks for reporting this, we apparently have an incorrect cache lifetime set on Release.gpg (so not a security issue, just an infrastructure issue). We'll work to get this fixed, ETA ~24 hours.
trv-gunnar
commented
2 months ago Good to see that it's not a security issue and that it will be fixed soon. Thank you.👍
daviddavis
commented
2 months ago The problem should be fixed now. @trv-gunnar @A4M5 can you confirm?
A4M5
commented
2 months ago The problem should be fixed now. @trv-gunnar @A4M5 can you confirm?
@daviddavis The problem is solved on my side, I get the packages back fine.
Thanks a lot !
Describe the issue When trying to mirror the prod repositories with debmirror I get a errors from GPG, that Release.gpg can't be verified.
When did the issue occur? 2024-09-06 (6th of September).
If applicable, what package did you attempt to install, and from which repo? I'm mirroring these three repositories, and they all give the same errors: https://packages.microsoft.com/ubuntu/20.04/prod/ https://packages.microsoft.com/ubuntu/22.04/prod/ https://packages.microsoft.com/ubuntu/24.04/prod/
Steps to Reproduce
apt install debmirrormkdir -p $TMP_PATH if ! gpg --no-default-keyring --keyring $KEYRING_FILE --fingerprint; then echo "Error: Failed to create keyring" exit 1 fi export GNUPGHOME=$TMP_PATH
if ! gpg --no-default-keyring --keyring $KEYRING_FILE --import /srv/gpg-keys/microsoft.asc; then echo "Error: Failed to import GPG key" exit 1 fi
arch="amd64" section="main" release="noble" server="packages.microsoft.com" inPath="/ubuntu/24.04/prod" proto="https" outPath="/srv/repositories/daily/apt/microsoft-packages-noble" timeout="120"
debmirror -a $arch \ -s $section \ -h $server \ -d $release \ -r $inPath \ -t $timeout \ --method=$proto \ --progress \ --rsync-extra=none \ --getcontents \ --nosource \ $outPath
debmirror_status=$? if [[ ! $debmirror_status -eq 0 ]]; then echo "Error: Failed to mirror repository with debmirror" exit 1 fi
echo "Success: Mirrored repository with debmirror" exit 0
Mirroring to /srv/repositories/daily/apt/microsoft-packages-focal from https://anonymous@packages.microsoft.com/ubuntu/20.04/prod/ Arches: amd64 Dists: focal Sections: main Pdiff mode: use Will clean up after mirroring. Attempting to get lock ... Getting meta files ... GET https://packages.microsoft.com/ubuntu/20.04/prod/dists/focal/Release ==> 200 OK (2s) [ 0%] Getting: dists/focal/Release... #ok GET https://packages.microsoft.com/ubuntu/20.04/prod/dists/focal/InRelease ==> 200 OK [ 0%] Getting: dists/focal/InRelease... #ok ** GET https://packages.microsoft.com/ubuntu/20.04/prod/dists/focal/Release.gpg ==> 200 OK [ 0%] Getting: dists/focal/Release.gpg... #ok [GNUPG:] NEWSIG [GNUPG:] KEY_CONSIDERED BC528686B50D79E339D3721CEB3E94ADBE1229CF 0 [GNUPG:] KEY_CONSIDERED BC528686B50D79E339D3721CEB3E94ADBE1229CF 0 [GNUPG:] BADSIG EB3E94ADBE1229CF Microsoft (Release signing) gpgsecurity@microsoft.com [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23 gpgv: can't allocate lock for '/tmp/debmirror/trustedkeys.kbx' gpgv: Signature made Tue Aug 27 19:39:44 2024 UTC gpgv: using RSA key EB3E94ADBE1229CF gpgv: BAD signature from "Microsoft (Release signing) gpgsecurity@microsoft.com" .temp/.tmp/dists/focal/Release.gpg signature does not verify. Errors: .temp/.tmp/dists/focal/Release.gpg signature does not verify Failed to download some Release, Release.gpg or InRelease files! WARNING: releasing 1 pending lock... Error: Failed to mirror repository with debmirror