Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bad signature in Debian Stretch 9 #672

Closed
alexcernat opened this issue Aug 14, 2017 · 3 comments
Closed

Bad signature in Debian Stretch 9 #672

alexcernat opened this issue Aug 14, 2017 · 3 comments

Comments

@alexcernat
Copy link

@alexcernat alexcernat commented Aug 14, 2017

I'm trying to install kalthura-nginx on a fresh installed Debian 9 box, but the repository signature seems to be invalid.
root@test-kalthura:~# apt update
Get:1 http://installrepo.kaltura.org/repo/apt/debian mercury InRelease [1,445 B]
Ign:2 http://ftp.de.debian.org/debian stretch InRelease
Hit:3 http://security.debian.org/debian-security stretch/updates InRelease
Hit:4 http://ftp.de.debian.org/debian stretch-updates InRelease
Err:1 http://installrepo.kaltura.org/repo/apt/debian mercury InRelease
The following signatures were invalid: AD4200615722734CBBE6C52FE7EEDECAA1174D5E
Hit:5 http://ftp.de.debian.org/debian stretch Release
Reading package lists... Done
W: GPG error: http://installrepo.kaltura.org/repo/apt/debian mercury InRelease: The following signatures were invalid: AD4200615722734CBBE6C52FE7EEDECAA1174D5E
E: The repository 'http://installrepo.kaltura.org/repo/apt/debian mercury InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The key was downloaded and included in the ring, as specified:
wget -O - http://installrepo.kaltura.org/repo/apt/debian/kaltura-deb.gpg.key|apt-key add -
echo "deb [arch=amd64] http://installrepo.kaltura.org/repo/apt/debian mercury main" > /etc/apt/sources.list.d/kaltura.list
Also the repository is the one listed in the readme.

Also tried to get the key from another server, without success.
root@test-kalthura:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E7EEDECAA1174D5E
gpg: keyserver receive failed: No data

There is a problem with the repository ?

@xXxSPYxXx

This comment has been minimized.

Copy link

@xXxSPYxXx xXxSPYxXx commented Aug 15, 2017

I think it didn`t work whis Debian 9. Compile module from source.

@jessp01

This comment has been minimized.

Copy link
Contributor

@jessp01 jessp01 commented Aug 15, 2017

Hi @xXxSPYxXx,

The error happened because sha1 is no longer accepted by Stretch's apt for repo signatures. We will generate a new SHA256 key and start using that soon.
You could bypass that check but if you already compiled it by yourself, that's fine too:)
Thanks for reporting the issue.

@jessp01 jessp01 closed this Aug 15, 2017
@jessp01

This comment has been minimized.

Copy link
Contributor

@jessp01 jessp01 commented Aug 15, 2017

Hi @xXxSPYxXx,

The below explanation is a bit long so don't feel compelled to read it, especially since you've already compiled the module yourself:) I'll provide it anyhow, in case you're interested and for the benefit of other Debian Stretch users.

Like I wrote before, the specific error you got stems from the fact that, starting from Stretch, SHA1 keys are no longer supported. Starting with the next version, we will be signing our packages with a SHA256 key.

However, the kaltura-nginx package from our repos will not work with Debian Stretch for other reasons.
Our kaltura-nginx deb packages are built and tested on Ubuntu ENVs and depend on packages that are either not available in the Stretch repos or are of different versions than the ones available there.

For example, the kaltura-ffmpeg package, which kaltura-nginx depends on, requires libschroedinger and libopenjpeg5. These exist in the Jessie repos [which is why the same deb can be deployed on Jessie] but are not available in the Stretch repo.
There are additional required packages which are not available in the Stretch repo but you get the idea..

Also, Stretch has libssl of version libssl1.0.2 and libssl1.1, whereas our kaltura-nginx package built for Ubuntu 16.04, requires libssl1.0.0.

And so, the kaltura-nginx package from http://installrepo.kaltura.org/repo/apt/debian will work with Debian Wheezy [7] and Debian Jessie [8], as stated in the README but not with Stretch [9].

That said, the package specs for all our packages are available so, if you wanted to, with some adjustments, you could build your own deb packages for Stretch based on these specs.
The kaltura-nginx files needed to build the deb package are available here:
https://github.com/kaltura/platform-install-packages/tree/Mercury-13.1.0/deb/kaltura-nginx/debian
the ones for kaltura-ffmpeg are here:
https://github.com/kaltura/platform-install-packages/tree/Mercury-13.1.0/deb/kaltura-ffmpeg/debian

Note that the Nginx VOD module only requires ffmpeg for the following features:

  • Thumbnail capture
  • Audio filtering (for changing playback rate / gain) - depends on ffmpeg and also on libfdk_aac. Due to licensing issues, libfdk_aac is not built into kaltura ffmpeg packages

If you don't require one of these, you can build the Nginx package without ffmpeg and if you have Nginx >= 1.9.11, you can also compile the VOD module as an SO and dynamically load it.
All that info is covered in more detail in this repo's README.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.