[Ceres] - apt cannot validate repo signatures anymore

kaliooma · 2024-05-27 21:18:24

Hello, I hope this is the right section to post this.

After a certain regular round of updates in mid-May (last week-ish?) I found that apt in my Devuan unstable installation lost the ability to check the PGP signatures of the release files of the repositories. This is true for any repository I try from here https://pkgmaster.devuan.org/mirror_list.txt, which leads me to think it's my system that broke.

Here's the output of what comes from running a simple apt update from the terminal:

$ doas apt update
Get:1 https://mirrors.dotsrc.org/devuan/merged ceres InRelease [47.6 kB]
Err:1 https://mirrors.dotsrc.org/devuan/merged ceres InRelease
  The following signatures were invalid: ERRSIG 94532124541922FB
Warning: https://mirrors.dotsrc.org/devuan/merged/dists/ceres/InRelease: Unknown response from gpgv to --assert-pubkey-algo check: gpgv:   error: Error parsing command-line arguments
Warning: GPG error: https://mirrors.dotsrc.org/devuan/merged ceres InRelease: The following signatures were invalid: ERRSIG 94532124541922FB
Error: The repository 'https://mirrors.dotsrc.org/devuan/merged ceres InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

I don't think I have "lost" the signing key of the Devuan maintainers because the package where the key belongs is also installed:

$ apt show devuan-keyring 
Package: devuan-keyring
Version: 2023.10.07
Priority: important
Section: misc
Origin: Devuan
Maintainer: Devuan Developers <devuan-dev@lists.dyne.org>
Installed-Size: 264 kB
Depends: gpgv
Recommends: gnupg | gnupg1
Breaks: apt (<< 0.7.25.1)
Homepage: http://www.devuan.org
Download-Size: 124 kB
APT-Manual-Installed: yes
APT-Sources: https://mirrors.dotsrc.org/devuan/merged ceres/main amd64 Packages
Description: GnuPG keys used by the Devuan repository
 The Devuan repository digitally signs its Release files.  This package contains
 the repository keys used for that as well as individual keys of active Devuan
 developers.

Rather, I believe the error is caused by gpg, or more precisely its restricted subset program gpgv, due to this snippet:

Warning: https://mirrors.dotsrc.org/devuan/merged/dists/ceres/InRelease: 
Unknown response from gpgv to --assert-pubkey-algo check: gpgv:   error: Error parsing command-line arguments

However, I purged and re-installed the gpgv package many times and the error persists. I don't know if it's a configuration that has changed or something?

Please let me know what I could try to fix this issue. Currently, I'm still able to update the system sporadically as well as install new packages by running apt insecurely via apt -o Acquire::AllowInsecureRepositories=true update with HTTPS-enabled repos, but this is not an acceptable solution.

Anything I could try?

Thanks!

PS: also, not every Devuan Ceres system I run has been hit by this. Another computer which I updated after this affected system never caught this bug, and continued to roll freely with new updates for some reason...

delgado · 2024-05-28 19:56:21

Just fishing in the dark ... . You mentioned "HTTPS-enabled repos":

There is an issue with devuan repos and https - I don't remember details.
"deb http://" is recommended, while "deb https://" should not be used for *some* reason with the (merged) devuan repos.

cat /et/apt/sources.list | grep ceres
deb http://deb.devuan.org/merged ceres main contrib non-free non-free-firmware

kaliooma · 2024-05-28 20:09:53

Hi delgado,

Thanks for the reply. Unfortunately the behavior seems to be the same:

$ doas apt update
Get:1 http://deb.devuan.org/merged ceres InRelease [47.6 kB]
Err:1 http://deb.devuan.org/merged ceres InRelease
  The following signatures were invalid: ERRSIG 94532124541922FB
Warning: http://deb.devuan.org/merged/dists/ceres/InRelease: Unknown response from gpgv to --assert-pubkey-algo check: gpgv:   error: Error parsing command-line arguments
Warning: GPG error: http://deb.devuan.org/merged ceres InRelease: The following signatures were invalid: ERRSIG 94532124541922FB
Error: The repository 'http://deb.devuan.org/merged ceres InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

I still have a feeling that the culprit is gpgv. Indeed the program (at least the version 2.2.40 packaged in Ceres) does not seem to accept --assert-pubkey-algo as a valid argument:

$ gpgv --version
gpgv (GnuPG-compatible Sequoia Chameleon) 2.2.40
Sequoia gpgv Chameleon 0.8.0
sequoia-openpgp 1.20.0
Copyright (C) 2024 Sequoia PGP
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ gpgv --
--ignore-time-conflict  --status-fd
--keyring               --verbose
--output                --weak-digest
--quiet                 
$ gpgv --assert-pubkey-algo
gpgv:   error: Error parsing command-line arguments
gpgv: because: Unknown argument "assert-pubkey-algo"

Note this last line: it's the same that appears in the apt error message.

I wonder if this version of gpgv or the apt hook that involves it somehow got borked or what. It's driving me nuts that I can't seem to debug it. How does apt involve it? Is it hardcoded or through an external script?

When I search for this specific error message from gpg, the only thing I find relevant is this Debian Bug report: https://bugs.debian.org/cgi-bin/bugrepo … ug=1070700

Thanks anyway for the attempt instead of dismissing it as "it's called unstable for a reason, you should not be using it."

The officially official Devuan Forum!

#1 2024-05-27 21:18:24

[Ceres] - apt cannot validate repo signatures anymore

#2 2024-05-28 19:56:21

Re: [Ceres] - apt cannot validate repo signatures anymore

#3 2024-05-28 20:09:53

Re: [Ceres] - apt cannot validate repo signatures anymore

Board footer