W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7

[krichter722]

After following the Debian repository setup instructions which succeeded with

> sudo apt-key advanced --keyserver pgp.net.nz --recv-keys 03D886E7
Executing: /tmp/apt-key-gpghome.vH6fRogMVF/gpg.1.sh --keyserver pgp.net.nz --recv-keys 03D886E7
gpg: key 1F968B3903D886E7: "Michael Peter Christen <mc@yacy.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

sudo apt-get update fails due to

W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7
W: The repository 'http://debian.yacy.net ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Furthermore accessing the repository through HTTPS in a browser fails because the certificate is untrusted. Trusted certificates are free to obtain and easy to maintain from initiatives like letsencrypt.org and state-of-the-art.

[Gitju]

1. True for the step
   wget http://debian.yacy.net/yacy_orbiter_key.asc -O- | apt-key add - in the wiki.

2. Since Debian 9: "On the security side, APT now rejects weaker checksums by default (e.g. SHA1) and attempts to download as an unprivileged user"
   https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.html
   And if I check I get
   gpg: binary signature, digest algorithm SHA1, key algorithm rsa2048

Edit 1: Missing HTTPS also at the startpage, for example the links to download
http://yacy.net/release/yacy_v1.92_20161226_9000.exe
http://yacy.net/release/yacy_v1.92_20161226_9000.tar.gz
http://yacy.net/release/yacy_v1.92_20161226_9000.dmg

Edit 2: Wanted to register an account in the YaCy Wiki to edit the entries but my registration was refused so someone else must do this :)

[luccioman]

I also have the problem since upgrading from Debian Jessie to Stretch.

It looks like these points will require some action from @Orbiter

[chris-blues]

Same here. Is anyone ever going to fix this???

[luccioman]

As an alternative I've set up a Debian repository on JFrog Bintray to distribute YaCy developer releases (including recent changes made after the latest stable official 1.92/9000 release).

With the following steps (as root or with sudo) you should be able to install a recent YaCy version (1.921.9232 when writing this) without error on a Debian Stretch :

• install the Bintray GPG key :
  wget -qO - https://bintray.com/user/downloadSubjectPublicKey?username=bintray | apt-key add -
• add the developer repository to your repositories, for example in a yacy.list file :
  echo "deb https://dl.bintray.com/luccioman/yacy_search_server stretch main" > /etc/apt/sources.list.d/yacy.list
• update with apt :
  apt-get update
• install yacy :
  apt-get install yacy

Note for an eventual upgrade from YaCy 1.92/9000 : authentication method changed from Basic HTTP to Digest HTTP (see default configuration file /usr/share/yacy/defaults/web.xml). This makes the password encoding different : so when upgrading from YaCY version 1.92.9000 or lower, please run 'dpkg-reconfigure yacy' after the upgrade to enter again and thus re-encode your YaCy administrator password.

Feedback will be welcome!

[chris-blues]

Thanks! Will take a look at it, when I find the time and quiet...

[AVHon]

@luccioman

As an alternative I've set up a Debian repository on JFrog

Just tried it and seems to work great!
This YaCy package worked for global search, but no pages that I crawled were indexed. I tried several different sites, and after crawling tens of thousands of pages, my index still had 0 documents.

I uninstalled the package and installed the current 1.92/9000 build for Linux from the tarball on yacy.net, and did not have the same problem.

[luccioman]

@avh-on1 , thanks for your report. That's rather strange : did you notice any error message or any error entries in the log?
Would you like to try running the yacy_v1.921_20180102_9513.tar.gz tarball (at Release_1.921.9513-dev ) which is equivalent to the Debian package hosted on JFrog bintray ?

[r4dh4l]

Unfortunately the problem still exist:

root@deb9.5:~# apt-key advanced --keyserver pgp.net.nz --recv-keys 03D886E7
Executing: /tmp/apt-key-gpghome.OYUE5rdQAZ/gpg.1.sh --keyserver pgp.net.nz --recv-keys 03D886E7
gpg: key 1F968B3903D886E7: "Michael Peter Christen <mc@yacy.net>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
root@deb9.5:~# apt update
...
Reading package lists... Done                                                                                   
W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7
E: The repository 'http://debian.yacy.net ./ Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@deb9.5:~# cat /etc/debian_version 
9.5
root@deb9.5:~# 

I would recommend to add an information to http://wiki.yacy.net/index.php/En:DebianInstall until this problem is fixed. I'm very fascinated of the YaCy project but don't dare to recommend it if the official Debian installation does not work.

Anway: Thx for YaCy!

[r4dh4l]

@luccioman

As an alternative I've set up a Debian repository on JFrog Bintray to distribute YaCy developer releases (including recent changes made after the latest stable official 1.92/9000 release).

With the following steps (as root or with sudo) you should be able to install a recent YaCy version (1.921.9232 when writing this) without error on a Debian Stretch :

* install the Bintray GPG key :
  `wget -qO - https://bintray.com/user/downloadSubjectPublicKey?username=bintray | apt-key add -`

* add the developer repository to your repositories, for example in a yacy.list file :
  `echo "deb https://dl.bintray.com/luccioman/yacy_search_server stretch main" > /etc/apt/sources.list.d/yacy.list`

* update with apt :
  `apt-get update`

* install yacy :
  `apt-get install yacy`

Note for an eventual upgrade from YaCy 1.92/9000 : authentication method changed from Basic HTTP to Digest HTTP (see default configuration file /usr/share/yacy/defaults/web.xml). This makes the password encoding different : so when upgrading from YaCY version 1.92.9000 or lower, please run 'dpkg-reconfigure yacy' after the upgrade to enter again and thus re-encode your YaCy administrator password.

Feedback will be welcome!

yacy_v1.92_20161226_9000.tar.gz "collapsed" on my Debian9 VM after a some monites so thank you very very for providing an alternative Debian package!

One problem: Using yacy_v1.92_20161226_9000.tar.gz I could "import" my Lets Encrypt certificates as described by @Scarfmonster in #194 (comment) but with you package /var/lib/yacy/SETTINGS/yacy.conf seems not recognizing pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12. My browser always reports:

my.ddns.net:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name my.ddns.net. Error code: SEC_ERROR_UNKNOWN_ISSUER

while https://my.lan.server.ip:8443/ works with the self-signed certificate created by YaCy.

So instead of pointing to DATA/SETTINGS/keystore.pkcs12 I wanted to replace the self-signed certificate of YaCy directly - any idea where it is located?

[luccioman]

@r4dh4l if you set the entry pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12 in your /var/lib/yacy/SETTINGS/yacy.conf configuration file, the keystore.pkcs12 file has to be at /var/lib/yacy/SETTINGS/keystore.pkcs12.
But you are probably missing one additional that does not appear in Scarfmonster instructions. You should check your log file and look if an error is reported, probably something starting like SERVER Unable to import certificate from import file 'DATA/SETTINGS/keystore.pkcs12'. with details on the next lines.
The missing step for a YaCy install from a Debian package, is that you also have to change the keyStore=defaults/freeworldKeystore entry. I mean the YaCy process as no write permission to the files in folder /usr/share/yacy/defaults/ including the /usr/share/yacy/defaults/freeworldKeystore. All these defaults configuration files are owned by root and not modifiable by the application itself, and this is a good thing regarding security and package upgrades management.

To conclude what you probably have to do, is to modify the entry with something like keyStore=DATA/SETTINGS/keystore.jks and eventually also modify the keyStorePassword=freeworld if you wish.

[r4dh4l]

But you are probably missing one additional that does not appear in Scarfmonster instructions. You should check your log file and look if an error is reported, probably something starting like SERVER Unable to import certificate from import file 'DATA/SETTINGS/keystore.pkcs12'. with details on the next lines.
The missing step for a YaCy install from a Debian package, is that you also have to change the keyStore=defaults/freeworldKeystore entry. I mean the YaCy process as no write permission to the files in folder /usr/share/yacy/defaults/ including the /usr/share/yacy/defaults/freeworldKeystore. All these defaults configuration files are owned by root and not modifiable by the application itself, and this is a good thing regarding security and package upgrades management.

To conclude what you probably have to do, is to modify the entry with something like keyStore=DATA/SETTINGS/keystore.jks and eventually also modify the keyStorePassword=freeworld if you wish.

Thank you very much @luccioman.

cp /usr/share/yacy/defaults/freeworldKeystore /var/lib/yacy/SETTINGS/ && chown yacy:yacy /var/lib/yacy/SETTINGS/freeworldKeystore && ls -la /var/lib/yacy/SETTINGS/

and setting keyStore=DATA/SETTINGS/freeworldKeystore in /var/lib/yacy/SETTINGS/yacy.conf did it.

But may I ask anyway:

1. Why did you suggest keystore.jks instead of freeworldKeystore?
2. Why should I change keyStorePassword=freeworld? It seems like freeworldKeystore is encrypted with this password so I would need to re-encrypt freeworldKeystore with the new password, wouldn't I?

[luccioman]

@r4dh4l you can name your custom Java keystore as you wish, I suggested keystore.jks file name just as an example to distinguish it from the default freeworldKeystore.
What really matters when you want to import a pkcs12 keystore at YaCy startup, is to configure the keyStore= property with a path with write permissions for the YaCy server process.

About the keyStorePassword= property : when you import a pkcs12 keystore (by setting a value for property pkcs12ImportFile= and restarting YaCy), a completely new Java keystore (JKS format) is written at the target path configured with keyStore=, and it is encrypted with the password provided by property keyStorePassword=. So again you can keep the default password, or choose a custom one. Of course once the pkcs12 import has been successfully done, it does not make sense to change the value of the keyStorePassword= alone.

[pbhj]

FWIW I followed the debian install instructions under Kubuntu and it fails on the repos not being signed (sudo aptitude update output):

Ign http://debian.yacy.net ./ Release.gpg
Fetched 1,675 B in 12s (143 B/s)                                                                                    
[...]
W: GPG error: http://debian.yacy.net ./ Release: The following signatures were invalid: 8BD752501CB62448A30EA3EA1F968B3903D886E7
E: The repository 'http://debian.yacy.net ./ Release' is not signed.
E: Failed to download some files

I attempted install with these slightly modified lines from the Debian instructions (to account for using sudo):

echo 'deb http://debian.yacy.net ./' | sudo tee /etc/apt/sources.list.d/yacy.list
wget http://debian.yacy.net/yacy_orbiter_key.asc -O- | sudo apt-key add -

and also tried with

sudo apt-key advanced --keyserver pgp.net.nz --recv-keys 03D886E7

But, having seen that there's apparently been no working deb for 2 years whilst it's being advertised on the install page ... maybe I'm misreading but it doesn't seem like it's worth trying unless I want to get involved in modifying packages and troubleshooting permissions.

As a "oh, that looks interesting" driveby from HackerNews, that's a big turn off.

[That's not to say that anyone needs to fix anything, just to try and present how the project might appear to potential users.]

[r4dh4l]

As a "oh, that looks interesting" driveby from HackerNews, that's a big turn off.

it is. I don't get why @Orbiter closed #236 which describes the problem you point on very well (next to others related how YaCy currently appears for newcomers).

[lfuelling]

Three years and:

• The signature is still invalid
• The docs are still not working
• The "setting up as service" docs directly refer to the deb package

Is there any chance this gets fixed someday or should I create a wiki account and put a big warning over all the articles referring to the package?

[Orbiter]

I am considering this debian package as deprecated.

I am also not able to fix this because I am not that familiar with debian certification processes. I would welcome if someone in the community wants to make a debian package and maintaines that package. I am also happy to link such work.

Please help!
Meanwhile I will remove all links and hints to debian packages. (The wiki is broken ...). I prefer if you choose the docker method instead.

[lfuelling]

I'm not going to use Docker. Does it even make sense to open issues for bugs I encounter when running from the tarball?

[lfuelling]

ok