/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New templates fails to install on R3.2 - UnknownSignatureType #4100

Closed
marmarek opened this Issue Jul 17, 2018 · 9 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 3.2 updates
2 participants
@marmarek @adrelanos
@marmarek
Member

marmarek commented Jul 17, 2018
edited
Edited 1 time
  • @marmarek marmarek edited Jul 17, 2018 (most recent)
  • @marmarek marmarek created Jul 17, 2018

Qubes OS version:

R3.2

Affected component(s):

template builder

Steps to reproduce the behavior:

sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-whonix-gw-14

Expected behavior:

Install Whonix Gateway 14 template.

Actual behavior:

[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-whonix-gw-14
Using sys-net as UpdateVM to download updates for Dom0; this may take some time...
Running command on VM: 'sys-net'...
Running command on VM: 'sys-net'...
Qubes Templates repository                       33 kB/s | 6.1 kB     00:00    
Qubes Community Templates repository            7.4 kB/s | 1.3 kB     00:00    
Last metadata expiration check: 0:00:00 ago on Tue Jul 17 18:40:18 2018.
Dependencies resolved.
================================================================================
 Package      Arch   Version            Repository                         Size
================================================================================
Installing:
 qubes-template-whonix-gw-14
              noarch 4.0.1-201807121854 qubes-templates-community-testing 533 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 533 M
Installed size: 533 M
DNF will only download packages for the transaction.
Downloading Packages:
qubes-template-whonix-gw-14-4.0.1-201807121854. 9.7 MB/s | 533 MB     00:54    
--------------------------------------------------------------------------------
Total                                           9.7 MB/s | 533 MB     00:54     
Complete!
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
*** ERROR while receiving updates:
Error while verifing qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm signature: /var/lib/qubes/updates/rpm/qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm: rsa sha1 ?UnknownSigatureType? (md5) pgp md5 NOT OK

Domain sys-net sent not signed rpm: qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm
--> if you want to use packages that were downloaded correctly, use yum directly now

/cc @adrelanos

@marmarek marmarek added bug C: templates labels Jul 17, 2018

@marmarek marmarek added this to the Release 3.2 updates milestone Jul 17, 2018

@marmarek marmarek self-assigned this Jul 17, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 17, 2018

Member 
[user@dom0 ~]$ rpm --verbose -K qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm
qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    Header SHA1 digest: OK (330b84cd1d416c0963a2d8ec5dcb5c862edd24cc)
    Verify signature: BAD PARAMETERS (273 0x5a6997d45907 1 (nil) (nil))
    V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    MD5 digest: OK (ea23ba88a53c0e006aca46d31e5ee103)

273 is RPMTAG_SHA256HEADER
Member

marmarek commented Jul 17, 2018 

[user@dom0 ~]$ rpm --verbose -K qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm
qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    Header SHA1 digest: OK (330b84cd1d416c0963a2d8ec5dcb5c862edd24cc)
    Verify signature: BAD PARAMETERS (273 0x5a6997d45907 1 (nil) (nil))
    V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    MD5 digest: OK (ea23ba88a53c0e006aca46d31e5ee103)

273 is RPMTAG_SHA256HEADER
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 17, 2018

Member

Looks like I need to revert to sha1 for R3.2 packages...
Member

marmarek commented Jul 17, 2018

Looks like I need to revert to sha1 for R3.2 packages...
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 17, 2018

Member

But, xen-4.6.6-43.fc23.x86_64.rpm works just fine, and do use SHA256:

[user@dom0 ~]$ rpm -vK /var/lib/qubes/updates/rpm/xen-4.6.6-43.fc23.x86_64.rpm 
/var/lib/qubes/updates/rpm/xen-4.6.6-43.fc23.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 03fa5082: OK
    Header SHA1 digest: OK (7e7867f8300d476d95e76580a402a926dea8a23f)
    V4 RSA/SHA256 Signature, key ID 03fa5082: OK
    MD5 digest: OK (5a5cf2a7fd4c45c401bc9c85fc11aadc)
Member

marmarek commented Jul 17, 2018

But, xen-4.6.6-43.fc23.x86_64.rpm works just fine, and do use SHA256:

[user@dom0 ~]$ rpm -vK /var/lib/qubes/updates/rpm/xen-4.6.6-43.fc23.x86_64.rpm 
/var/lib/qubes/updates/rpm/xen-4.6.6-43.fc23.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 03fa5082: OK
    Header SHA1 digest: OK (7e7867f8300d476d95e76580a402a926dea8a23f)
    V4 RSA/SHA256 Signature, key ID 03fa5082: OK
    MD5 digest: OK (5a5cf2a7fd4c45c401bc9c85fc11aadc)
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 18, 2018

Member

Ok, it isn't about signature digest, but header/payload digest. Full details using rpm 4.14 (as compared in 4.13 in 3.2's dom0):

qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    Header SHA1 digest: OK
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    MD5 digest: OK
Member

marmarek commented Jul 18, 2018

Ok, it isn't about signature digest, but header/payload digest. Full details using rpm 4.14 (as compared in 4.13 in 3.2's dom0):

qubes-template-whonix-gw-14-4.0.1-201807121854.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    Header SHA1 digest: OK
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 0c8231bf: OK
    MD5 digest: OK
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jul 18, 2018

Member

I also was hit by this but I assumed transmission errors. Changed UpdateVM. Glad the root cause has been found!

Workaround available?

Template rebuild required after fixing this one?
Member

adrelanos commented Jul 18, 2018

I also was hit by this but I assumed transmission errors. Changed UpdateVM. Glad the root cause has been found!

Workaround available?

Template rebuild required after fixing this one?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 18, 2018

Member

Workaround available?

It looks like I'll need to downgrade rpm-build in that VM - there is no option to force old format (without SHA256 header).

Template rebuild required after fixing this one?

Yes.
Member

marmarek commented Jul 18, 2018

Workaround available?

It looks like I'll need to downgrade rpm-build in that VM - there is no option to force old format (without SHA256 header).

Template rebuild required after fixing this one?

Yes.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 18, 2018

Member

Ok, should be good now. Rebuild R3.2 templates when you consider appropriate.
Member

marmarek commented Jul 18, 2018

Ok, should be good now. Rebuild R3.2 templates when you consider appropriate.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jul 19, 2018

Member

Templates rebuild. Testing in progress.
Member

adrelanos commented Jul 19, 2018

Templates rebuild. Testing in progress.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jul 20, 2018

Member

Works for me.

Closeable.
Member

adrelanos commented Jul 20, 2018

Works for me.

Closeable.

@marmarek marmarek closed this Jul 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment