-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide debian/ubuntu packages with at least SHA256 digests for it's signature. #1110
Comments
@andyneff Is this something we can do on our end, or does something have to be done on packagecloud? Also, would it be worth updating existing packages, or just releasing LFS v1.2 before the next ubuntu stable release? |
@bruo do you have any further details on the specific shortcoming? I don't know that the git-lfs team directly signs any packages (don't think so, but they can confirm), but packagecloud do sign the repo metadata.
... then:
Note the digest algoritm is SHA1. That's likely the problem. When packagecloud sign the repo metadata they probably need to start passing I've sent them an email to check. See also: |
Hi - I work on packagecloud. Thanks for reporting this to us via our support email. We're looking into this now. Just a few notes I wanted to make about this from the packagecloud side:
We use ruby-gpgme for generating GPG signatures, so a fix might require a PR to that project -- we're still investigating. I'll update this PR when I know more. |
@javabrett debian wiki got update these days to know what is happening, you can read here https://wiki.debian.org/Teams/Apt/Sha1Removal. I don't use ubuntu, i don't know what's the status on their side. @ice799 the issue is the digest one, your repository is "half broken". AFAIK there are no issues with any stable distribution with SHA512 digests, i've been using that in my gnupg setup since several years already. |
@bruo Unfortunately, there are a lot of bugs with APT and how it uses GPG so we'll need to be extra careful here, but thanks for letting us know that it has been working for you! |
The only way I know of to make
|
@javabrett yes, GPGME does not support setting the digest algorithm. There's a few technical reasons why we cannot simply set a gpg config on our side. We're still working through the best way for us to solve this and we appreciate your input. I think it's likely that I'm going to write a small patch for libgpgme and ruby-gpgme to allow setting the digest. |
An update: I wrote a fix that is being code reviewed and tested. I'll follow up when a fix is deployed. |
Our docker files used to sign them when they generated a full repo. I didn't want to deal with hosting it, so I decided to go with PackageCloud. @ice799 Thanks for taking care of this. Is there anything we have to do on our end? |
@technoweenie That confirms that git-lfs no longer performs any artifact or repo-signing, so this issue is purely related to signing provided by packagecloud. @ice799 if you have a public tracker for that we could probably close this issue. |
@technoweenie The initial error message reported was about the GPG signatures on the repository metadata (which are generated by packagecloud). There is nothing on your end to be done -- we're working on a fix on our side for this. Keep in mind that packages themselves can also be GPG signed. If you want to sign them, you'd have to do this before uploading them to packagecloud. It's likely not worth signing them at this time because of the pain involved with actually enabling verification on the client side. Almost no one is going to do it. If you are curious about GPG signing packages vs GPG signing APT metadata, check out this helpful blog post which explains the difference and the meaning behind each. @javabrett sorry, we do not currently have a public issue tracker, but I suspect a fix will be deployed early next week. |
OK, we pushed a fix for this and reindex this repository. Repository metadata should be GPG signed with a signature that uses SHA256 for most recent Ubuntu and Debian releases. @bruo you should not get this error now, however, please note that git-lfs has no packages that have been uploaded for debian/stretch - so if you try to apt-get install you will get package not found. you will need to either ask @technoweenie to upload packages for debian/stretch OR install the packages for debian/jessie instead. |
@ice799 yeah, i just notice that. anyway, that will be a different issue and the problem is fixed. (you will get the same request probably from slack people, as it was a reported issue by the debian's "sha1 deprecation team" Thanks to all of you for you work. |
@ice799 Thanks, looks good! |
Hi,
Debian1 and Ubuntu2 are deprecating SHA1 from APT, this breaks the packages provided by packagecloud.io, as you will get this type of error running apt-get update:
W: gpgv:/var/lib/apt/lists/packagecloud.io_github_git-lfs_debian_dists_stretch_InRelease: The repository is insufficiently signed by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F (weak digest)
This change will affect ubuntu's next month stable release
Thanks in advance.
The text was updated successfully, but these errors were encountered: