Univention Bugzilla – Bug 54123
Update to 5.0: UpdateSignatureVerificationFailed
Last modified: 2022-09-29 12:38:50 CEST
Version: 4.4-8 errata1101 (Blumenthal) - UCS@school 4.4 v9 Remark: Hab verucht das Release-Update zu installieren. Danach musste ich mich anmelden und es kam diese Fehlermeldung. Error: Fehler beim Verbindungsaufbau zum Update-Server. Bitte überprüfen Sie die Proxy- oder Firewall-Einstellungen, falls vorhanden. Es kann sich sich auch um ein Problem des konfigurierten DNS-Servers handeln. Dies ist die Fehlermeldung: Signature verification for /tmp/tmpIRZuy1/.all.tar failed Request: status Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available'])) File "%PY2.7%/univention/appcenter/actions/update_check.py", line 120, in get_blocking_apps update.call(ucs_version=next_minor, cache_dir=cache_dir, just_get_cache=True) File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call return obj.call_with_namespace(namespace) File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace result = self.main(namespace) File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main if self._download_apps(app_cache): File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps self._verify_file(all_tar_file) File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file raise UpdateSignatureVerificationFailed(fname) UpdateSignatureVerificationFailed: Signature verification for /tmp/tmpIRZuy1/.all.tar failed Role: domaincontroller_master
Version: 4.4-8 errata995 (Blumenthal) Error: Error contacting the update server. Please check your proxy or firewall settings, if any. Or it may be a problem with your configured DNS server. This is the error message: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed Request: status Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/updater/__init__.py", line 449, in status blocking_apps = update_check.get_blocking_apps(ucs_version=str(result['release_update_available'])) File "%PY2.7%/univention/appcenter/actions/update_check.py", line 114, in get_blocking_apps update.call() File "%PY2.7%/univention/appcenter/actions/__init__.py", line 220, in call return obj.call_with_namespace(namespace) File "%PY2.7%/univention/appcenter/actions/__init__.py", line 226, in call_with_namespace result = self.main(namespace) File "%PY2.7%/univention/appcenter/actions/update.py", line 87, in main if self._download_apps(app_cache): File "%PY2.7%/univention/appcenter/actions/update.py", line 200, in _download_apps self._verify_file(all_tar_file) File "%PY2.7%/univention/appcenter/actions/update.py", line 173, in _verify_file raise UpdateSignatureVerificationFailed(fname) UpdateSignatureVerificationFailed: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed Role: domaincontroller_master
Version: 4.4-8 errata987 (Blumenthal) same traceback as Comment #2 , but with /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/.all.tar
Reported again: Version: 4.4-8 errata995 (Blumenthal) Remark: nach Update auf das letzte Errata
reported again: 2022010421000517 Version: 4.4-8 errata1134 (Blumenthal) - UCS@school 4.4 v9
Do we know if this is a temporary or a permanent problem?
Proposed solution is here: https://git.knut.univention.de/univention/ucs/-/merge_requests/411
We analyzed this bug. The only reasonable explanation is that system downloaded the App Center files while we were syncing new ones. Therefore, their signature verification failed. Some timestamps on the tickets correlate with App Updates we released. This is not necessarily blocking an update. It may happen when opening the Updater module. And it should go away the next time, the Administrator opens it.
We should fix this in 5.0, not in 4.4. This is not really an update 4.4->5.0 error. Also, we need more information to confirm this. We should improve the error message of "UpdateSignatureVerificationFailed" to include the error of apt-key and possibly some meta information about the files involved.
d7b3994337 Bug #54123: Include gpg_error and file timestamps in SignatureVerificationFailed exception Successful build Package: univention-appcenter Version: 9.0.3-4A~5.0.0.202209242223 Branch: ucs_5.0-0 Scope: errata5.0-2 In case of a UpdateSignatureVerificationFailed, we now show the gpg_error itself and the mtime difference between the signature and the filename itself to be able to determine if the error is caused by one of them already being downloaded, while the other one is already invalidated during an appcenter sync.
New error message: Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/.tmp.tar failed. GPG Error: gpgv: Prüfsummenfehler; ea324c - 33e5db gpgv: Keine Signatur gefunden gpgv: Die Signatur konnte nicht überprüft werden. Denken Sie daran, daß die Datei mit der Signatur (.sig oder .asc) als erste in der Kommandozeile stehen sollte. . File to verify and signature have a mtime offset of: -21929.838003396988. This is much better and we may get more information, especially the gpg error. The mtime offset does not work as well as we had hoped, though. At least when zsync downloads the file, it uses the timestamp of the original all.tar file on our server. Therefore, the offset shown may easily be tens of thousands of seconds and not reflect the actual difference on our server. At a later stage, we may want to manipulate the mtime of the downloaded files to the header field "Last-Modified" of the response. One quick note: The traceback is only shown in the updater module because apparently, we ignore it in the App Center module. I am still under the impression that this is a one-time error and open the module a second time should make it go away. Ignoring it in the updater module _may_ be viable. But let's see if we get new tracebacks. The last tracebacks are 18 months old. Code: OK YAML: OK Test: OK
<https://errata.software-univention.de/#/?erratum=5.0x437>