search

oerdnj / deb.sury.org

Public bugreports for anything ppa:ondrej/*
800 stars 26 forks source link

GPG signature verification of `Release` file fails for unknown key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6 #2133

Closed eguaj closed 1 month ago

eguaj commented 1 month ago

Hi,

I have an aptly mirroring PPA ondrej/php packages, and this morning it fails to verify the Release file signature:

$ aptly mirror update ondrej-php-jammy
Downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/InRelease...
Success downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/InRelease
gpgv: can't allocate lock for '/home/aptly/.gnupg/trustedkeys.gpg'
gpgv: Signature made Tue May 14 02:46:36 2024 CEST
gpgv:                using RSA key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6
gpgv: Can't check signature: No public key
gpgv: Signature made Tue May 14 02:46:36 2024 CEST
gpgv:                using RSA key 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C
gpgv: Good signature from "Launchpad PPA for Ondřej Surý"

Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyserver.ubuntu.com --recv-keys 71DAEAAB4AD4CAB6

Sometimes keys are stored in repository root in file named Release.key, to import such key:

wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import

Downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release...
Success downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release
Downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release.gpg...
Success downloading http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release.gpg
gpgv: can't allocate lock for '/home/aptly/.gnupg/trustedkeys.gpg'
gpgv: Signature made Tue May 14 02:46:35 2024 CEST
gpgv:                using RSA key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6
gpgv: Can't check signature: No public key
gpgv: Signature made Tue May 14 02:46:35 2024 CEST
gpgv:                using RSA key 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C
gpgv: Good signature from "Launchpad PPA for Ondřej Surý"

Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyserver.ubuntu.com --recv-keys 71DAEAAB4AD4CAB6

Sometimes keys are stored in repository root in file named Release.key, to import such key:

wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import

ERROR: unable to update: verification of detached signature failed: exit status 2

The signature verification seems to fails because it does not know the key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6.

It seems that the Release file is signed with 2 keys, and one of them (B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6) is unknown?

Is there a key rollover planned? Should I trust this B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6 key (as I trust 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C)?

Steps to reproduce without aptly:

$ curl -o Release     http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release
$ curl -o Release.sig http://ppa.launchpad.net/ondrej/php/ubuntu/dists/jammy/Release.gpg
$ gpg --verify Release.sig
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'Release'
gpg: Signature made Tue May 14 02:46:35 2024 CEST
gpg:                using RSA key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6
gpg: Can't check signature: No public key
gpg: Signature made Tue May 14 02:46:35 2024 CEST
gpg:                using RSA key 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C
gpg: using pgp trust model
gpg: Good signature from "Launchpad PPA for Ond\xc5\x99ej Sur�" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
gpg: binary signature, digest algorithm SHA512, key algorithm rsa1024
oerdnj commented 1 month ago

That’s in Canonical hands and their rollover and communication around it is frankly disaster. I don’t have any more information than you do.

oerdnj commented 1 month ago

But I guess I should be happy that it’s finally happening…. Because 1024 RSA keys should have been replaced years ago.

eguaj commented 1 month ago

Ok, thanks for the details/explanations.

It does not seems to impact apt/apt-get commands, so the problem might be only with aptly not handling multiples signatures the same way as apt commands does (e.g. requiring all signature to be valid instead of requiring at lease one signature to be correct).

In the meantime, I'll add the B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6 key to my aptly trust store (which effectively solves my verification problem when running aptly mirror update).