New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7 #124

Open
krichter722 opened this Issue Jul 31, 2017 · 12 comments

Comments

Projects
None yet
6 participants
@krichter722
Contributor

krichter722 commented Jul 31, 2017

After following the Debian repository setup instructions which succeeded with

> sudo apt-key advanced --keyserver pgp.net.nz --recv-keys 03D886E7
Executing: /tmp/apt-key-gpghome.vH6fRogMVF/gpg.1.sh --keyserver pgp.net.nz --recv-keys 03D886E7
gpg: key 1F968B3903D886E7: "Michael Peter Christen <mc@yacy.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

sudo apt-get update fails due to

W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7
W: The repository 'http://debian.yacy.net ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Furthermore accessing the repository through HTTPS in a browser fails because the certificate is untrusted. Trusted certificates are free to obtain and easy to maintain from initiatives like letsencrypt.org and state-of-the-art.

@Gitju

This comment has been minimized.

Gitju commented Aug 13, 2017

  1. True for the step
    wget http://debian.yacy.net/yacy_orbiter_key.asc -O- | apt-key add - in the wiki.

  2. Since Debian 9: "On the security side, APT now rejects weaker checksums by default (e.g. SHA1) and attempts to download as an unprivileged user"
    https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.html
    And if I check I get
    gpg: binary signature, digest algorithm SHA1, key algorithm rsa2048

Edit 1: Missing HTTPS also at the startpage, for example the links to download
http://yacy.net/release/yacy_v1.92_20161226_9000.exe
http://yacy.net/release/yacy_v1.92_20161226_9000.tar.gz
http://yacy.net/release/yacy_v1.92_20161226_9000.dmg

Edit 2: Wanted to register an account in the YaCy Wiki to edit the entries but my registration was refused so someone else must do this :)

@luccioman

This comment has been minimized.

Member

luccioman commented Aug 15, 2017

I also have the problem since upgrading from Debian Jessie to Stretch.

It looks like these points will require some action from @Orbiter

@chris-blues

This comment has been minimized.

chris-blues commented Sep 18, 2017

Same here. Is anyone ever going to fix this???

@luccioman

This comment has been minimized.

Member

luccioman commented Oct 24, 2017

As an alternative I've set up a Debian repository on JFrog Bintray to distribute YaCy developer releases (including recent changes made after the latest stable official 1.92/9000 release).

With the following steps (as root or with sudo) you should be able to install a recent YaCy version (1.921.9232 when writing this) without error on a Debian Stretch :

  • install the Bintray GPG key :
    wget -qO - https://bintray.com/user/downloadSubjectPublicKey?username=bintray | apt-key add -
  • add the developer repository to your repositories, for example in a yacy.list file :
    echo "deb https://dl.bintray.com/luccioman/yacy_search_server stretch main" > /etc/apt/sources.list.d/yacy.list
  • update with apt :
    apt-get update
  • install yacy :
    apt-get install yacy

Note for an eventual upgrade from YaCy 1.92/9000 : authentication method changed from Basic HTTP to Digest HTTP (see default configuration file /usr/share/yacy/defaults/web.xml). This makes the password encoding different : so when upgrading from YaCY version 1.92.9000 or lower, please run 'dpkg-reconfigure yacy' after the upgrade to enter again and thus re-encode your YaCy administrator password.

Feedback will be welcome!

@chris-blues

This comment has been minimized.

chris-blues commented Nov 1, 2017

Thanks! Will take a look at it, when I find the time and quiet...

@avh-on1

This comment has been minimized.

avh-on1 commented Feb 18, 2018

@luccioman

As an alternative I've set up a Debian repository on JFrog

Just tried it and seems to work great!
This YaCy package worked for global search, but no pages that I crawled were indexed. I tried several different sites, and after crawling tens of thousands of pages, my index still had 0 documents.

I uninstalled the package and installed the current 1.92/9000 build for Linux from the tarball on yacy.net, and did not have the same problem.

@luccioman

This comment has been minimized.

Member

luccioman commented Feb 22, 2018

@avh-on1 , thanks for your report. That's rather strange : did you notice any error message or any error entries in the log?
Would you like to try running the yacy_v1.921_20180102_9513.tar.gz tarball (at Release_1.921.9513-dev ) which is equivalent to the Debian package hosted on JFrog bintray ?

@r4dh4l

This comment has been minimized.

r4dh4l commented Nov 6, 2018

Unfortunately the problem still exist:

root@deb9.5:~# apt-key advanced --keyserver pgp.net.nz --recv-keys 03D886E7
Executing: /tmp/apt-key-gpghome.OYUE5rdQAZ/gpg.1.sh --keyserver pgp.net.nz --recv-keys 03D886E7
gpg: key 1F968B3903D886E7: "Michael Peter Christen <mc@yacy.net>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
root@deb9.5:~# apt update
...
Reading package lists... Done                                                                                   
W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7
E: The repository 'http://debian.yacy.net ./ Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@deb9.5:~# cat /etc/debian_version 
9.5
root@deb9.5:~# 

I would recommend to add an information to http://wiki.yacy.net/index.php/En:DebianInstall until this problem is fixed. I'm very fascinated of the YaCy project but don't dare to recommend it if the official Debian installation does not work.

Anway: Thx for YaCy!

@r4dh4l

This comment has been minimized.

r4dh4l commented Nov 8, 2018

@luccioman

As an alternative I've set up a Debian repository on JFrog Bintray to distribute YaCy developer releases (including recent changes made after the latest stable official 1.92/9000 release).

With the following steps (as root or with sudo) you should be able to install a recent YaCy version (1.921.9232 when writing this) without error on a Debian Stretch :

* install the Bintray GPG key :
  `wget -qO - https://bintray.com/user/downloadSubjectPublicKey?username=bintray | apt-key add -`

* add the developer repository to your repositories, for example in a yacy.list file :
  `echo "deb https://dl.bintray.com/luccioman/yacy_search_server stretch main" > /etc/apt/sources.list.d/yacy.list`

* update with apt :
  `apt-get update`

* install yacy :
  `apt-get install yacy`

Note for an eventual upgrade from YaCy 1.92/9000 : authentication method changed from Basic HTTP to Digest HTTP (see default configuration file /usr/share/yacy/defaults/web.xml). This makes the password encoding different : so when upgrading from YaCY version 1.92.9000 or lower, please run 'dpkg-reconfigure yacy' after the upgrade to enter again and thus re-encode your YaCy administrator password.

Feedback will be welcome!

yacy_v1.92_20161226_9000.tar.gz "collapsed" on my Debian9 VM after a some monites so thank you very very for providing an alternative Debian package!

One problem: Using yacy_v1.92_20161226_9000.tar.gz I could "import" my Lets Encrypt certificates as described by @Scarfmonster in #194 (comment) but with you package /var/lib/yacy/SETTINGS/yacy.conf seems not recognizing pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12. My browser always reports:

my.ddns.net:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name my.ddns.net. Error code: SEC_ERROR_UNKNOWN_ISSUER

while https://my.lan.server.ip:8443/ works with the self-signed certificate created by YaCy.

So instead of pointing to DATA/SETTINGS/keystore.pkcs12 I wanted to replace the self-signed certificate of YaCy directly - any idea where it is located?

@luccioman

This comment has been minimized.

Member

luccioman commented Nov 12, 2018

@r4dh4l if you set the entry pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12 in your /var/lib/yacy/SETTINGS/yacy.conf configuration file, the keystore.pkcs12 file has to be at /var/lib/yacy/SETTINGS/keystore.pkcs12.
But you are probably missing one additional that does not appear in Scarfmonster instructions. You should check your log file and look if an error is reported, probably something starting like SERVER Unable to import certificate from import file 'DATA/SETTINGS/keystore.pkcs12'. with details on the next lines.
The missing step for a YaCy install from a Debian package, is that you also have to change the keyStore=defaults/freeworldKeystore entry. I mean the YaCy process as no write permission to the files in folder /usr/share/yacy/defaults/ including the /usr/share/yacy/defaults/freeworldKeystore. All these defaults configuration files are owned by root and not modifiable by the application itself, and this is a good thing regarding security and package upgrades management.

To conclude what you probably have to do, is to modify the entry with something like keyStore=DATA/SETTINGS/keystore.jks and eventually also modify the keyStorePassword=freeworld if you wish.

@r4dh4l

This comment has been minimized.

r4dh4l commented Nov 15, 2018

But you are probably missing one additional that does not appear in Scarfmonster instructions. You should check your log file and look if an error is reported, probably something starting like SERVER Unable to import certificate from import file 'DATA/SETTINGS/keystore.pkcs12'. with details on the next lines.
The missing step for a YaCy install from a Debian package, is that you also have to change the keyStore=defaults/freeworldKeystore entry. I mean the YaCy process as no write permission to the files in folder /usr/share/yacy/defaults/ including the /usr/share/yacy/defaults/freeworldKeystore. All these defaults configuration files are owned by root and not modifiable by the application itself, and this is a good thing regarding security and package upgrades management.

To conclude what you probably have to do, is to modify the entry with something like keyStore=DATA/SETTINGS/keystore.jks and eventually also modify the keyStorePassword=freeworld if you wish.

Thank you very much @luccioman.

cp /usr/share/yacy/defaults/freeworldKeystore /var/lib/yacy/SETTINGS/ && chown yacy:yacy /var/lib/yacy/SETTINGS/freeworldKeystore && ls -la /var/lib/yacy/SETTINGS/

and setting keyStore=DATA/SETTINGS/freeworldKeystore in /var/lib/yacy/SETTINGS/yacy.conf did the trick.

But may I ask anyway:

  1. Why did you suggest keystore.jks instead of freeworldKeystore?
  2. Why should I change keyStorePassword=freeworld? It seems like freeworldKeystore is encrypted with this password so I would need to re-encrypt freeworldKeystore with the new password, wouldn't I?
@luccioman

This comment has been minimized.

Member

luccioman commented Nov 16, 2018

@r4dh4l you can name your custom Java keystore as you wish, I suggested keystore.jks file name just as an example to distinguish it from the default freeworldKeystore.
What really matters when you want to import a pkcs12 keystore at YaCy startup, is to configure the keyStore= property with a path with write permissions for the YaCy server process.

About the keyStorePassword= property : when you import a pkcs12 keystore (by setting a value for property pkcs12ImportFile= and restarting YaCy), a completely new Java keystore (JKS format) is written at the target path configured with keyStore=, and it is encrypted with the password provided by property keyStorePassword=. So again you can keep the default password, or choose a custom one. Of course once the pkcs12 import has been successfully done, it does not make sense to change the value of the keyStorePassword= alone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment