Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian apt failling to install #6383

Closed
monetdb-team opened this issue Nov 30, 2020 · 0 comments
Closed

Debian apt failling to install #6383

monetdb-team opened this issue Nov 30, 2020 · 0 comments

Comments

@monetdb-team
Copy link

@monetdb-team monetdb-team commented Nov 30, 2020

Date: 2017-08-01 14:50:33 +0200
From: Ramiro Batista da Luz <>
To: buildtools devs <>
Version: 11.27.1 (Jul2017)

Last updated: 2017-08-03 13:19:50 +0200

Comment 25531

Date: 2017-08-01 14:50:33 +0200
From: Ramiro Batista da Luz <>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build Identifier:

Following the documented instructions[1] to install monetdb on debian Stretch I got the following error:

W: The repository 'http://dev.monetdb.org/downloads/deb stretch Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.

Followed by:

https://dev.monetdb.org/downloads/deb/dists/stretch/monetdb/source/Sources gnutls_handshake() failed: Public key signature verification has failed.

It might be related to: https://wiki.debian.org/Teams/Apt/Sha1Removal

[1] - https://www.monetdb.org/downloads/deb/

Reproducible: Always

Steps to Reproduce:

  1. On a debian stretch
  2. Follow the steps in https://www.monetdb.org/downloads/deb/
    2.1: Create a file /etc/apt/sources.list.d/monetdb.list with:
    deb http://dev.monetdb.org/downloads/deb/ stretch monetdb
    deb-src http://dev.monetdb.org/downloads/deb/ stretch monetdb
    2.2: Install the MonetDB GPG public key:
    wget --output-document=- https://www.monetdb.org/downloads/MonetDB-GPG-KEY | sudo apt-key add -
    2.3: Run apt update.
    sudo apt update
  3. The error appears at the end of the update messages.

Actual Results:

It is not possible to install monetdb.

Expected Results:

Install monetdb

The monetdb repository is listed as half broken on:

https://wiki.debian.org/Teams/Apt/Sha1Removal

There are instructions to fix half broken repositories.

Fixing half-broken repositories

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users.

 To sign with more than one key, if using reprepro, use a space-separated list of key IDs in the conf/distributions file on the SignWith line.
 A relatively safe way to ship the key would be to embed it in the package. To embed the key in the package, export it into its own keyring, like so

     gpg --export -a YOURNEWKEYID | gpg --no-default-keyring --keyring newkeyring.gpg --import - 

 The keyring file will be created in your ~/.gnupg directory. Place it into /etc/apt/trusted.gpg.d/ directory in your package, and it will automatically be picked up by apt-key once installed by your users. 

Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).

Comment 25532

Date: 2017-08-02 10:11:25 +0200
From: @sjoerdmullender

I can reproduce the problem with installing MonetDB. We had tried on various Ubuntu systems, but not on Debian stretch.

I'll take a good look at the pointers you gave.

Comment 25542

Date: 2017-08-02 16:31:36 +0200
From: @sjoerdmullender

I have updated the MONETDB-GPG-KEY and resigned the Release files. They currently have two signatures (old and new).

Can you please try again and report back?

You need to reimport the GPG key (there is a new one together with the old one), run apt update again, and then you should (hopefully) be able to install the packages.

Comment 25544

Date: 2017-08-02 17:20:44 +0200
From: Ramiro Batista da Luz <>

It didn't worked.

Then I found a message in a debian list.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=83472415

The problem was with the libgnutls. I am sorry.

Removed the lib: libgnutls-deb0-28

Then it worked.

Thank you for your attention.

I think that monetdb repository can now be on the Compliant List on the Debian wiki.

Comment 25546

Date: 2017-08-03 13:19:50 +0200
From: @sjoerdmullender

Thanks for the feedback. Closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant