Bug 54123 - Update to 5.0: UpdateSignatureVerificationFailed
Summary: Update to 5.0: UpdateSignatureVerificationFailed
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Update - Release updates
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.0-2-errata
Assignee: Julia Bremer
QA Contact: Dirk Wiesenthal
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-24 10:52 CET by Maximilian Janßen
Modified: 2022-09-29 12:38 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022010421000508, 2022010421000339, 2021121421000088, 2021062821000484, 2021062821000493, 2021062821000519, 2021062821000537, 2021062821000635, 2021062821000546, 2021062821000626, 2021062821000653, 2021112321000625, 2021062821000671, 2021062821000644
Bug group (optional): External feedback
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maximilian Janßen univentionstaff 2021-11-24 10:52:09 CET 
Version: 4.4-8 errata1101 (Blumenthal) - UCS@school 4.4 v9

Remark: Hab verucht das Release-Update zu installieren. Danach musste ich mich anmelden und es kam diese Fehlermeldung.

Error: 
Fehler beim Verbindungsaufbau zum Update-Server. Bitte überprüfen Sie die Proxy- oder Firewall-Einstellungen, falls vorhanden. Es kann sich sich auch um ein Problem des
konfigurierten DNS-Servers handeln. Dies ist die Fehlermeldung: Signature verification for /tmp/tmpIRZuy1/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 120, in get_blocking_apps
    update.call(ucs_version=next_minor, cache_dir=cache_dir, just_get_cache=True)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /tmp/tmpIRZuy1/.all.tar failed

Role: domaincontroller_master
Comment 1 Maximilian Janßen univentionstaff 2021-11-24 14:59:15 CET 
Version: 4.4-8 errata995 (Blumenthal)

Error: 
Error contacting the update server. Please check your proxy or firewall settings, if any. Or it may be a problem with your configured DNS server. This is the error message:
Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 114, in get_blocking_apps
    update.call()
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed

Role: domaincontroller_master
Comment 2 Maximilian Janßen univentionstaff 2021-11-24 15:00:31 CET 
Version: 4.4-8 errata995 (Blumenthal)

Error: 
Error contacting the update server. Please check your proxy or firewall settings, if any. Or it may be a problem with your configured DNS server. This is the error message:
Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed
Request: status

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status
    blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available']))
  File "%PY2.7%/univention/appcenter/actions/update_check.py", line 114, in get_blocking_apps
    update.call()
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call
    return obj.call_with_namespace(namespace)
  File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace
    result = self.main(namespace)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main
    if self._download_apps(app_cache):
  File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps
    self._verify_file(all_tar_file)
  File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file
    raise UpdateSignatureVerificationFailed(fname)
UpdateSignatureVerificationFailed: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed

Role: domaincontroller_master
Comment 3 Maximilian Janßen univentionstaff 2021-11-24 15:01:55 CET 
Version: 4.4-8 errata987 (Blumenthal)

same traceback as Comment #2 , but with /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/.all.tar
Comment 4 Maximilian Janßen univentionstaff 2021-11-24 15:09:45 CET 
Reported again:

Version: 4.4-8 errata995 (Blumenthal)
Remark: nach Update auf das letzte Errata
Comment 5 Maximilian Janßen univentionstaff 2022-01-06 10:57:33 CET 
reported again: 2022010421000517
Version: 4.4-8 errata1134 (Blumenthal) - UCS@school 4.4 v9
Comment 7 Ingo Steuwer univentionstaff 2022-01-06 12:46:52 CET 
Do we know if this is a temporary or a permanent problem?
Comment 9 Nikola Radovanovic univentionstaff 2022-06-07 13:56:34 CEST 
Proposed solution is here: https://git.knut.univention.de/univention/ucs/-/merge_requests/411
Comment 10 Dirk Wiesenthal univentionstaff 2022-09-23 12:47:44 CEST 
We analyzed this bug. The only reasonable explanation is that system downloaded the App Center files while we were syncing new ones. Therefore, their signature verification failed. Some timestamps on the tickets correlate with App Updates we released.

This is not necessarily blocking an update. It may happen when opening the Updater module. And it should go away the next time, the Administrator opens it.
Comment 11 Dirk Wiesenthal univentionstaff 2022-09-23 12:51:58 CEST 
We should fix this in 5.0, not in 4.4. This is not really an update 4.4->5.0 error.

Also, we need more information to confirm this. We should improve the error message of "UpdateSignatureVerificationFailed" to include the error of apt-key and possibly some meta information about the files involved.
Comment 12 Julia Bremer univentionstaff 2022-09-24 22:28:30 CEST 
d7b3994337 Bug #54123: Include gpg_error and file timestamps in SignatureVerificationFailed exception


Successful build
Package: univention-appcenter
Version: 9.0.3-4A~5.0.0.202209242223
Branch: ucs_5.0-0
Scope: errata5.0-2

In case of a UpdateSignatureVerificationFailed, we now show the gpg_error itself and the mtime difference between the signature and the filename itself to be able to determine if the error is caused by one of them already being downloaded, while the other one is already invalidated during an appcenter sync.
Comment 13 Dirk Wiesenthal univentionstaff 2022-09-26 16:21:20 CEST 
New error message:

Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/.tmp.tar failed. GPG Error:  gpgv: Prüfsummenfehler; ea324c - 33e5db
gpgv: Keine Signatur gefunden
gpgv: Die Signatur konnte nicht überprüft werden.
Denken Sie daran, daß die Datei mit der Signatur (.sig oder .asc)
als erste in der Kommandozeile stehen sollte.
. File to verify and signature have a mtime offset of: -21929.838003396988.

This is much better and we may get more information, especially the gpg error. The mtime offset does not work as well as we had hoped, though. At least when zsync downloads the file, it uses the timestamp of the original all.tar file on our server.
Therefore, the offset shown may easily be tens of thousands of seconds and not reflect the actual difference on our server. At a later stage, we may want to manipulate the mtime of the downloaded files to the header field "Last-Modified" of the response.

One quick note: The traceback is only shown in the updater module because apparently, we ignore it in the App Center module.

I am still under the impression that this is a one-time error and open the module a second time should make it go away. Ignoring it in the updater module _may_ be viable. But let's see if we get new tracebacks. The last tracebacks are 18 months old.

Code: OK
YAML: OK
Test: OK