-
Notifications
You must be signed in to change notification settings - Fork 667
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Repo: Weak digest & Invalid signatures #5055
Comments
We currently have 1024DSA which is weak. Ubuntu 16.04 wants to see at least 2048 RSA.
Expired key may be a different issue. Investigating. |
Hi,
|
@jnweiger : I found out how to fix the expired key. You can update the keys, first check the expired keys:
Now update the key from a keyserver: Then it downloads new signatures and the expired-key warning disappears. Two things to solve:
|
@tflidd osc signkeys --create isv:owncloud should do that.. it is up to the obs to create proper release keys.. |
We can do that ourselves. question: will this result in key change warnings, vendor change errors or other nasty issues, when we do that? |
Regarding the expired aspect: The key was already extended in 2015. :signature packet: algo 17, keyid 977C43A8BA684223 version 4, created 1423491668, md5len 0, sigclass 0x13 digest algo 2, begin of digest 29 39 hashed subpkt 2 len 4 (sig created 2015-02-09) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 9 len 4 (key expires after 5y72d4h15m) 2015-02-09 + 5y72d4h15m would be very far in the future. Compare apt-key: apt-key list | grep BA684223 pub 1024D/BA684223 2012-02-08 [expires: 2017-04-19] My understanding now is:
Expiration seems to be a non-isuse here. Removing the misleading "(Key expired)" from the subject. |
@crrodriguez Please evaluate downsides of changing the key and move forward here.
|
@crrodriguez ping? |
@jnweiger My take is.. we do not create new signing keys we just --extend them.. we need to do this only every few years or when something goes horrible wrong. |
That might help to avoid recurring bugreports like #5156 where people missed that they need to renew keys manually. |
@crrodriguez we have two issues mixed up here. One is expiry, the other is weakness. What is the effort to create an owncloud-archive-keyring? |
Hello all, |
@thackert Expired keys can be easily solved if you re-import the already renewed keys from https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client This is something you need to actively do until something like suggested here is provided: #5055 (comment) |
@RealRancor It seems you either got me wrong or I have expressed my concern not clear enough ... :( Either way: I am seeing this "weak key" message on my system since a longer time, and I want to get it fixed, if possible asap ... ;) But in this bug report there are two different bugs: one for the expired key, one for the weak one (this was also mentioned by @jnweiger on July 13th and 8 days ago). And if you want to start nitpicking, it is also about Ubuntu (as mentioned in @tflidd 's first report) and Linux Mint (reported from @psyray on July 14th) and Debian (reported by me). The question for me now is: is this bug about the expired key (where you can use tflidd's instruction from his comment on August 16th to get a new key. But this would not solve the problem with the weak key warning from apt-get ... ( ) or about the weak key to sign the Debian (based) packages with a 1024 bit key instead of a 2048 one? What would be the correct way to handle this? Leave this bug open, but open one for the weak algorithm for all Debian based systems and make it dependent on this bug? Waiting until apt will no longer install any owncloud-client packages because of this weak key (though Julian K. wrote in his blog, that this should not be happen (see https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/) but what would happen, if the Debian people to change this in a couple of months / years)? Do you understand my concerns now? |
@thackert Yes, the issue here is about "weak key/weak signature". Everything else like the expired key is unrelated to this issue and shouldn't be discussed in here. If you want to express that you're affected by the "weak key/weak signature" issue you can just use the emoticon icon at the first post and use the thumbs up button. This avoids that the issue gets flooded with comments as the issue is known and just needs to be fixed by some one who knows to fix it. :-) |
And also:
If people not following the steps explained at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client they shouldn't wonder why they are getting such results. :-) |
Thanks @joaonl! |
@treuss For setup help i suggest to jump over to https://central.owncloud.org/. It is not the goal to give setup specific support in an issue tracker. |
If you know the missing key ID, you can also try to get it from a keyserver: |
I think its time to lock this issue to collaborators. Its just one huge mess (43+ comments) with tons of various issues mixed in one. |
@RealRancor thanks for your help. |
Bad reproducer Dockerfile: FROM centos:centos7 RUN yum install -y wget RUN rpm --import http://download.opensuse.org/repositories/isv:/ownCloud:/desktop//CentOS_7/repodata/repomd.xml.key RUN wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7/isv:ownCloud:desktop.repo -O /etc/yum.repos.d/isv:ownCloud:desktop.repo RUN yum clean all && yum install -y owncloud-client still fails. Error messages are: The GPG keys listed for the "The ownCloud Desktop Client (CentOS_7)" repository are already installed but they are not correct for this package. |
I've triggered a rebuild of opt-libqt5keychain1-0.7.0-9.1 and now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm -- I assume rebuilding all is to be done. |
sounds like a victory! 🎉 |
https://github.com/owncloud/enterprise/issues/1617 should have fixed this problem |
Confirmed! The above CentOS7 reproducer is now silent. |
Hi, cant access owncloud/enterprise#1617 - Where is this fixed/what steps need to be taken? |
@shpetros Just re-import the key as shown at the desktop client install page. If you need further help please see https://owncloud.org/support/ where to get such help. |
Yiipiieaaayeah!!! 😃 Maybe this helps the guys who followed exactly the ownCloud installation steps from Open Suse, but who had, like myself, still the "packages cannot be authenticated" error. ;) I'm no certificate specialist, but after having read through the whole thread and tried over and over again the specified installation procedure, I began to delete the "right" key from my apt-key list, but instead of re-importing the right one right away, I checked the list again... and what did I see? Another "old" key appeared in the listing which wasn't there before! So, this was the method to solve my issue: 1° Uninstall owncloud-client completely: Et voilà! 😃 @rloutrel: Thanks for pointing to the Key deletion! Greetz OS: Ubuntu 16.04 LTS 64 bits |
I did all of the recommended fixes and I am still getting the error on Ubuntu 16.04! The key is there and valid, but the packages till can not be authenticated. Not to mention, that my keychain is still not detected, on a fresh install, which was the reason to migrate to the open suse repo in the first place. Classic owncloud! |
@FlorianFranzen The keys are valid and known to work for a wide range of users. So either you're importing the wrong key, you're missing a step or something else is broken in you're environment. Please note that this is a bugtracker and no support channel. Its the best to jump over to a forums dedicated to your Distro where they might be able to help you sorting this out. |
@RealRancor: Challenge accepted. Let's turn this into a real bug report. This my apt key and source setup:
My apt cache is up to date:
And this is what happens when I try to install the owncloud-client:
So it seems like no matter if I follow the official instructions or any of the instructions here, I run into a problem. Weirdly the Release file is signed properly if I check it by hand:
Also, I did a quick check of some of the checksum (Package, Package.gz and the deb itself) and they all check out. I guess there is an important step missing to get apt back on track once you run into this problem. |
@FlorianFranzen As explained this is a bugtracker, no support channel. The initial issue here is closed/solved as the new keys with a proper signature were deployed. |
@RealRancor The issue described here is not fixed and can still linger if the incorrect Release file was downloaded before. I think this is highly relevant. Back on topic: The problem is that the Release file does not look changed to apt and therefore is not updated locally. This is either a bug in apt or more likely a bug in the way openSUSE or one of their German mirrors set up their package server or HTML caching. I was able to fix it by removing the package source, followed by running |
It really shouldn't be hard to understand that the issue originally reported here IS fixed. To sum-up that you can understand that:
Everything else doesn't belong in here. @jnweiger @crrodriguez Please lock here to avoid that this issue gets longer and longer where the initial issue is already solved. People are mixing too many issues in here. |
@RealRancor The title is "Weak digest & Invalid signatures". Enough said. |
Yeah, and these are solved as already explained twice. Weak digest: Key was updated with a new signature algorithm. It might help to read (and understand) the actual report and not only the title. If you think there are any additional issues which needs to be fixed create a new bugreport. |
@FlorianFranzen @RealRancor I created #5287 to track the |
open-suse-repo on ubuntu 16.04 packet manager (apt-get) shows this error:
The text was updated successfully, but these errors were encountered: