Univention Bugzilla – Bug 51603
univention-repository-update net fails with GPG verification error
Last modified: 2020-09-24 11:27:36 CEST
A customer observed that "u-repository-update net" failed with the following error: root@master:~# univention-repository-update net Error: Verification error: Invalid signature: gpgv: Signature made Mi 19 Nov 2014 21:05:14 CET gpgv: using DSA key 1DD67AFB2CBDA4B0 gpgv: Can't check signature: Kein öffentlicher Schlüssel This can and should only be disabled temporarily using the UCR variable 'repository/mirror/verify'. I was able to reproduce this as follows: 1. Install UCS with a version below 4.4-4 2. univention-repository-create 3. univention-repository-update net 4. univention-upgrade to current 4.4-4 release and errata level 5. univention-repository-update net fails with error above My system was on 4.4-4 e644 when the error started to happen. I checked whether I'd be able to get the errata updates released later that day in spite of the error. It doesn't work and my system seems to be stuck on 4.4-4 e644 now (as long as it's using the repo mirror of course). As Erik pointed out one can fix the problem by downgrading univention-archive-key on the repo mirror: univention-install univention-archive-key=8.0.0-1A~4.3.0.201712120205 This only works until one updates the repo mirror itself, because univention-archive-key will be upgraded to the broken version again. +++ This bug was initially created as a clone of Bug #51250 +++ UCS-4.x uses: # gpg --list-key 6B8BFD3C pub rsa4096/0x36602BA86B8BFD3C 2014-06-30 [SC] [verfällt: 2021-06-28] 6B6E7E3259A9F44F1452D1BE36602BA86B8BFD3C uid [ unbekannt ] Univention Corporate Server 4.x <packages@univention.de> sub rsa4096/0x89A34EE2C6A83019 2014-06-30 [E] [verfällt: 2021-06-28] We should create a new key for UCS-5, which must be shipped already with UCS-4 in ucs/base/univention-archive-key/ to allow upgrades from UCS-4 to UCS-5. The key should be published to http://updates.software-univention.de/ too. univention-archive-key-ucs-3x.gpg can be removed as it is expired.
Blocking progress [...] because the customer was waiting for an errata which they weren't able to download due to this.
Needed to clear my head and looked into this... The repository seems to be mirrored from 4.0-0 upwards. The preup.sh/postup.sh scripts for 4.0-0 are signed with the univention-archive-key-ucs-3x.gpg key, which was removed. (Not completely tested) Workaround: Download the key from "https://updates.software-univention.de/univention-archive-key-ucs-3x.gpg" and copy it into "/etc/apt/trusted.gpg.d/". Alternative: Do not start with 4.0-0 (Something like "ucr set repository/mirror/version/start=4.1-0")
> Alternative: Do not start with 4.0-0 (Something like "ucr set > repository/mirror/version/start=4.1-0") Afaik one always has to mirror the entire major release one is using. So 4.0 - 4.99 at a time, because there might be dependencies in e.g. 4.4 packages reaching back to 4.0. In fact I witnessed UCS 4.3 installations being broken after a customer removed 4.0, 4.1 and 4.2 from their repo mirror. They thought it'd be fine since 4.3 was based on a new Debian release.
Same problem here, manually re-adding the 3.x key made it work again.
Same problem here with 4.4-5 as well.
(In reply to Markus Dählmann from comment #5) > Same problem here, manually re-adding the 3.x key made it work again. Works for me too.
$ cd /var/univention/buildsystem2/mirror/ftp/4.0/maintained/4.0-0/all $ gpgv postup.sh.gpg postup.sh gpgv: Signatur vom Mi 19 Nov 2014 21:05:14 CET gpgv: mittels DSA-Schlüssel 1DD67AFB2CBDA4B0 gpgv: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel UCS2='1027 D9E4 1543 386F 3CC2 85DA 0AFF A048 0A55 84A5' UCS3='3550 FB4C C61F DB88 D334 E31A 1DD6 7AFB 2CBD A4B0' <--- UCS4='6B6E 7E32 59A9 F44F 1452 D1BE 3660 2BA8 6B8B FD3C' UCS5='8321 745B B32A 82C7 5BBD 4BC2 D293 E501 A055 F562' [4.4-5] 8a29e03d10 Bug #51603: Re-add univention-archive-key-ucs-3x.gpg base/univention-archive-key/debian/changelog | 6 ++++++ base/univention-archive-key/debian/control | 2 +- .../univention-archive-key-ucs-3x.gpg | Bin 0 -> 1716 bytes 3 files changed, 7 insertions(+), 1 deletion(-) Package: univention-archive-key Version: 9.0.0-4A~4.4.0.202007291623 Branch: ucs_4.4-0 Scope: errata4.4-5 [4.4-5] d506ebe828 Bug #51603: univention-archive-key 9.0.0-4A~4.4.0.202007291623 doc/errata/staging/univention-archive-key.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) QA: - VM with 150 GiB extra partition for /var/lib/univention-repository/ - wget http://updates.knut.univention.de/download/ucs-cds/ucs4.4-5/UCS_4.4-5-amd64.iso - univention-repository-create -n -i UCS_4.4-5-amd64.iso - univention-repository-update net Before: FAILS After: OKAY
QA: Initially tested on UCS 4.4-4 with maintained version of univention-archive-key: univention-repository-update net: failed as expected (univention-archive-key-ucs-3x.gpg missing) Installed new version 9.0.0-4A~4.4.0.202007291623 of univention-archive-key univention-repository-update net: OK Upgraded server to UCS 4.4-5: OK Set up another UCS 4.4-4 system that uses the first one as repository server: OK Also upgraded to 4.4-5: OK Verified.
<https://errata.software-univention.de/#/?erratum=4.4x711>