Ubuntu
debmirror package

debmirror fails to properly check Release(.gpg)

Bug #90546 reported by John Moser
6
Affects Status Importance Assigned to Milestone
debmirror (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: debmirror

debmirror seems to not properly verify Release and Release.gpg as below:

bluefox@icebox:/media/IPOD/ccdc/ubuntu_repo$ debmirror -p -v --nosource --passive -h ftp.ubuntu.com -r /ubuntu/ --method=ftp --dist=edgy,edgy-backports,edgy-proposed,edgy-security,edgy-updates --section=main,restricted,universe,multiverse /media/IPOD/ccdc/ubuntu_repo/
Mirroring to /media/IPOD/ccdc/ubuntu_repo/ from ftp://<email address hidden>//ubuntu//
Arches: i386
Dists: edgy,edgy-backports,edgy-proposed,edgy-security,edgy-updates
Sections: main,restricted,universe,multiverse
Passive mode on.
Will clean up AFTER mirroring.
Pdiff mode: use.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Keeping: dists/edgy/Release
[0%] Keeping: dists/edgy/Release.gpg
gpg: Signature made Wed 25 Oct 2006 01:13:17 PM EDT using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-backports/Release
[0%] Keeping: dists/edgy-backports/Release.gpg
gpg: Signature made Wed 07 Mar 2007 09:40:12 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-proposed/Release
[0%] Keeping: dists/edgy-proposed/Release.gpg
gpg: Signature made Tue 06 Mar 2007 04:30:39 AM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-security/Release
[0%] Keeping: dists/edgy-security/Release.gpg
gpg: Signature made Wed 07 Mar 2007 09:40:12 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-updates/Release
[0%] Keeping: dists/edgy-updates/Release.gpg
gpg: Signature made Wed 07 Mar 2007 02:31:39 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
Errors:
 Release signature does not verify.
 Release signature does not verify.
 Release signature does not verify.
 Release signature does not verify.
 Release signature does not verify.
Failed to download some Release or Release.gpg files!
WARNING: releasing 1 pending lock...

It seems to download them to .temp/ instead of ./ and then verify ./.

As a work-around, skip those:

bluefox@icebox:/media/IPOD/ccdc/ubuntu_repo$ debmirror -p -v --nosource --passive -h ftp.ubuntu.com -r /ubuntu/ --method=ftp --dist=edgy,edgy-backports,edgy-proposed,edgy-security,edgy-updates --section=main,restricted,universe,multiverse --ignore-missing-release --ignore-release-gpg /media/IPOD/ccdc/ubuntu_repo/

Related branches

lp:ubuntu/karmic/debmirror
Revision history for this message
John Moser (nigelenki) wrote :

I'm told this is a failing on my part to get the proper gpg keys. Perhaps debmirror should ask something like:

 !!! Warning: You don't have the gpg public key for this. Download key ID 437D05B5 [y/N]?

And then I hit Y and it downloads it (and tells me it can't find it, yay) and life goes on.

In short, move this to wishlist or something.

Revision history for this message
William Grant (wgrant) wrote :

The error message is pretty clear, I think.

Changed in debmirror:
status: Unconfirmed → Rejected
Revision history for this message
John Moser (nigelenki) wrote :

gpg: Can't check signature: public key not found

jmoser@ubuntu-jm:~/mirror$ find .
.
jmoser@ubuntu-jm:~/mirror$ debmirror -p -v --nosource --passive -h ftp.ubuntu.com -r /ubuntu/ --method=ftp --dist=feist
y --section=main mirdir
Mirroring to mirdir from ftp://<email address hidden>//ubuntu//
Arches: i386
Dists: feisty
Sections: main
Passive mode on.
Will clean up AFTER mirroring.
Pdiff mode: use.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Getting: dists/feisty/Release #
[0%] Getting: dists/feisty/Release.gpg #
gpg: Signature made Tue 17 Apr 2007 02:20:13 PM EDT using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
Errors:
 Release signature does not verify.
Failed to download some Release or Release.gpg files!
WARNING: releasing 1 pending lock...
jmoser@ubuntu-jm:~/mirror$ find .
.
./mirdir
./mirdir/dists
./mirdir/dists/feisty
./mirdir/.temp
./mirdir/.temp/dists
./mirdir/.temp/dists/feisty
./mirdir/.temp/dists/feisty/Release.gpg
./mirdir/.temp/dists/feisty/Release
jmoser@ubuntu-jm:~/mirror$

Further investigation indicates possibility of needing to add the gpg key to the keyring, or something. I'm not sure anymore.

Changed in debmirror:
status: Invalid → Incomplete
Revision history for this message
aliet (alietss) wrote :

debmirror is actually failing the gpgv check even if you have the key in your trusted keys in gpp, the problem is that gpgv looks for the keyring named trustedkeys.gpg, but if you look into your gnupg folder you just see:
pubring.gpg
secring.gpg
trustdb.gpg
...
this the reason why gpgv can not find the keys..
a workaround to fix this is tu set the option --keyring in the call to gpgv in debmirror
gpgv --keyring pubring.gpg 2>/dev/null --status-fd 1 $tempdir/dists/$dist/Release.gpg $tempdir/dists/$dist/Release|

this fixes the problem in gutsy, not sure why gpg don't create the file
rustedkeys.gpg
a change in gpg???
best regards

Changed in debmirror:
status: Incomplete → Confirmed
Revision history for this message
aliet (alietss) wrote :

this patch applied tu debmirror in proposed is a workaround for this problem

Revision history for this message
Kees Cook (kees) wrote :

This seems to be the (correct) default behavior of gpgv. I think changing documentation is a better fix. To import the archive key:

  gpg --no-default-keyring --keyring trustedkeys.gpg --import /usr/share/keyrings/ubuntu-archive-keyring.gpg

or, to use the entire pubring:

  ln -s ~/.gnupg/pubring.gpg ~/.gnupg/trustedkeys.gpg

Changed in debmirror:
assignee: nobody → keescook
status: Confirmed → In Progress
Revision history for this message
Kees Cook (kees) wrote :

debmirror (20070123ubuntu1) hardy; urgency=low

  * Patched to handle changes to Compress::Zlib gzreadline symantics
    (LP: #157362).
  * Update documentation to detail the correct keyring to use (LP: #90546).

 -- Kees Cook <email address hidden> Mon, 12 Nov 2007 14:10:57 -0800

Changed in debmirror:
status: In Progress → Fix Released
Revision history for this message
Mark Foster (fostermarkd) wrote :

Just ran into this on lucid. Fixed by adding the link mentioned earlier...
ln -s ~/.gnupg/pubring.gpg ~/.gnupg/trustedkeys.gpg

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.