Bug 54123 – Update to 5.0: UpdateSignatureVerificationFailed

Bug 54123 - Update to 5.0: UpdateSignatureVerificationFailed


Summary:	Update to 5.0: UpdateSignatureVerificationFailed

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Update - Release updates
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Julia Bremer
QA Contact:	Dirk Wiesenthal

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-11-24 10:52 CET by Maximilian Janßen
Modified:	2022-09-29 12:38 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022010421000508, 2022010421000339, 2021121421000088, 2021062821000484, 2021062821000493, 2021062821000519, 2021062821000537, 2021062821000635, 2021062821000546, 2021062821000626, 2021062821000653, 2021112321000625, 2021062821000671, 2021062821000644
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximilian Janßen

2021-11-24 10:52:09 CET

Version: 4.4-8 errata1101 (Blumenthal) - UCS@school 4.4 v9

Remark: Hab verucht das Release-Update zu installieren. Danach musste ich mich anmelden und es kam diese Fehlermeldung.

Error: 
Fehler beim Verbindungsaufbau zum Update-Server. Bitte überprüfen Sie die Proxy- oder Firewall-Einstellungen, falls vorhanden. Es kann sich sich auch um ein Problem des
konfigurierten DNS-Servers handeln. Dies ist die Fehlermeldung: Signature verification for /tmp/tmpIRZuy1/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 120, in get_blocking_apps
    update.call(ucs_version=next_minor, cache_dir=cache_dir, just_get_cache=True)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /tmp/tmpIRZuy1/.all.tar failed

Role: domaincontroller_master

Comment 1 Maximilian Janßen

2021-11-24 14:59:15 CET

Version: 4.4-8 errata995 (Blumenthal)

Error: 
Error contacting the update server. Please check your proxy or firewall settings, if any. Or it may be a problem with your configured DNS server. This is the error message:
Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 114, in get_blocking_apps
    update.call()
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed

Role: domaincontroller_master

Comment 2 Maximilian Janßen

2021-11-24 15:00:31 CET

Version: 4.4-8 errata995 (Blumenthal)

Error: 
Error contacting the update server. Please check your proxy or firewall settings, if any. Or it may be a problem with your configured DNS server. This is the error message:
Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 114, in get_blocking_apps
    update.call()
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed

Role: domaincontroller_master

Comment 3 Maximilian Janßen

2021-11-24 15:01:55 CET

Version: 4.4-8 errata987 (Blumenthal)

same traceback as Comment #2 , but with /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/.all.tar

Comment 4 Maximilian Janßen

2021-11-24 15:09:45 CET

Reported again:

Version: 4.4-8 errata995 (Blumenthal)
Remark: nach Update auf das letzte Errata

Comment 5 Maximilian Janßen

2022-01-06 10:57:33 CET

reported again: 2022010421000517
Version: 4.4-8 errata1134 (Blumenthal) - UCS@school 4.4 v9

Comment 7 Ingo Steuwer

2022-01-06 12:46:52 CET

Do we know if this is a temporary or a permanent problem?

Comment 9 Nikola Radovanovic

2022-06-07 13:56:34 CEST

Proposed solution is here: https://git.knut.univention.de/univention/ucs/-/merge_requests/411

Comment 10 Dirk Wiesenthal

2022-09-23 12:47:44 CEST

We analyzed this bug. The only reasonable explanation is that system downloaded the App Center files while we were syncing new ones. Therefore, their signature verification failed. Some timestamps on the tickets correlate with App Updates we released.

This is not necessarily blocking an update. It may happen when opening the Updater module. And it should go away the next time, the Administrator opens it.

Comment 11 Dirk Wiesenthal

2022-09-23 12:51:58 CEST

We should fix this in 5.0, not in 4.4. This is not really an update 4.4->5.0 error.

Also, we need more information to confirm this. We should improve the error message of "UpdateSignatureVerificationFailed" to include the error of apt-key and possibly some meta information about the files involved.

Comment 12 Julia Bremer

2022-09-24 22:28:30 CEST

d7b3994337 Bug #54123: Include gpg_error and file timestamps in SignatureVerificationFailed exception


Successful build
Package: univention-appcenter
Version: 9.0.3-4A~5.0.0.202209242223
Branch: ucs_5.0-0
Scope: errata5.0-2

In case of a UpdateSignatureVerificationFailed, we now show the gpg_error itself and the mtime difference between the signature and the filename itself to be able to determine if the error is caused by one of them already being downloaded, while the other one is already invalidated during an appcenter sync.

Comment 13 Dirk Wiesenthal

2022-09-26 16:21:20 CEST

New error message:

Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/.tmp.tar failed. GPG Error:  gpgv: Prüfsummenfehler; ea324c - 33e5db
gpgv: Keine Signatur gefunden
gpgv: Die Signatur konnte nicht überprüft werden.
Denken Sie daran, daß die Datei mit der Signatur (.sig oder .asc)
als erste in der Kommandozeile stehen sollte.
. File to verify and signature have a mtime offset of: -21929.838003396988.

This is much better and we may get more information, especially the gpg error. The mtime offset does not work as well as we had hoped, though. At least when zsync downloads the file, it uses the timestamp of the original all.tar file on our server.
Therefore, the offset shown may easily be tens of thousands of seconds and not reflect the actual difference on our server. At a later stage, we may want to manipulate the mtime of the downloaded files to the header field "Last-Modified" of the response.

One quick note: The traceback is only shown in the updater module because apparently, we ignore it in the App Center module.

I am still under the impression that this is a one-time error and open the module a second time should make it go away. Ignoring it in the updater module _may_ be viable. But let's see if we get new tracebacks. The last tracebacks are 18 months old.

Code: OK
YAML: OK
Test: OK

Comment 14 Erik Damrose

2022-09-29 12:38:50 CEST

<https://errata.software-univention.de/#/?erratum=5.0x437>