[CPR-419] ubuntu xenial update failure Created: 2017/04/27  Updated: 2017/12/28  Resolved: 2017/12/28

Status: Closed
Project: Community Package Repository
Component/s: None
Affects Version/s: None
Fix Version/s: 2017/08/02

Type: Bug Priority: Blocker
Reporter: Pegerto Fernandez Assignee: Rob Braden
Resolution: Done Votes: 9
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to CPR-445 Apt-get failure on xenial due to BADSIG Closed
relates to CPR-317 Puppet Labs Release Key expires soon Closed
Template: MODULES Bug Template
Team: Release Engineering
Story Points: 1
Sprint: RE 2017-05-03
QA Risk Assessment: Needs Assessment

 Description   

Using the following repository

deb https://apt.puppetlabs.com xenial PC1

With the following operative system:

NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

When we run an apt-get update then I have the following error:

Reading package lists... Done
W: GPG error: http://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
W: The repository 'http://apt.puppetlabs.com xenial Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://apt.puppetlabs.com xenial Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
W: The repository 'https://apt.puppetlabs.com xenial Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-amd64/Packages.gz  Hash Sum mismatch
E: Failed to fetch http://apt.puppetlabs.com/dists/xenial/PC1/binary-all/Packages.gz
E: Failed to fetch https://apt.puppetlabs.com/dists/xenial/PC1/binary-all/Packages.gz  Hash Sum mismatch
E: Some index files failed to download. They have been ignored, or old ones used instead.
W: Duplicate sources.list entry http://apt.puppetlabs.com xenial Release

Validating the repository

wget https://apt.puppetlabs.com/dists/xenial/Release
wget https://apt.puppetlabs.com/dists/xenial/Release.gpg
 
gpg --fingerprint EF8D349F
pub   4096R/EF8D349F 2016-08-18 [expires: 2021-08-17]
      Key fingerprint = 6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid       [ unknown] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
sub   4096R/656674AE 2016-08-18 [expires: 2021-08-17]
 
 
gpg --verify Release.gpg Release
gpg: Signature made Thu 20 Apr 21:06:46 2017 BST using RSA key ID EF8D349F
gpg: BAD signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" [unknown]

The md5 for the binary-amd64 is acording to the release { 053a11f9e6bf966e2e42341f43cb1941 167 PC1/binary-amd64/Release] and:

wget https://apt.puppetlabs.com/dists/xenial/PC1/binary-amd64/Packages.gz
md5sum Packages.gz
7c5deed758025d7c4d1f49d94fc578ed  Packages.gz



 Comments   
Comment by David Brůha [ 2017/04/27 ]

We can confirm the same situation on all our wheezy servers (including the puppet server):

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com wheezy Release: The following signatures were invalid: BADSIG 7F438280EF8D349F Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

W: Failed to fetch http://apt.puppetlabs.com/dists/wheezy/Release

W: Some index files failed to download. They have been ignored, or old ones used instead.

Comment by DO! DevOps [ 2017/04/27 ]

Pegerto Fernandez I've set the priority to blocker, because we use the repository as our main agent installation method.

Comment by Francois Lafont [ 2017/04/27 ]

Exactly same problem here with:

  • Ubuntu Xenial
  • Ubuntu Trusty
Comment by Pegerto Fernandez [ 2017/04/27 ]

DO! DevOps the change to critical sound good to me, we are block as well, and we use the repo during the boot strapping and at the configuration management, so it is not easy to change, from the other side, we agree that our organisation should have mirror this repo locally time ago.

Comment by Patrick Otto [ 2017/04/27 ]

Same issue here with xenial and trusty:

[14:55] < codec> I just provisioned a new machine that installs the release deb from apt.puppetlabs.com, then starts complaining about the bad signature. This sounds wrong?
[14:57] < codec> binford2k: but its a fresh machine using the keyring supplied by the release package. its definitely in there, but the sig is bad
[14:58] < codec> https://gist.github.com/codec/e0229356ede6a55651074bfab149906b
[15:01] < codec> https://apt.puppetlabs.com/dists/xenial/ shows a last modified of 26/04 12:52 but when i fetch it its 20/04 20:02
[15:01] < codec> *for Release
[15:03] <@binford2k> 1 sec, https://tickets.puppetlabs.com/browse/CPR-419 codec mpibmike_
[15:05] < codec> binford2k: i think its a fucked cache somewhere. my ec2 machines show me Date: ... 26 Apr, but on my local machine it shows 20 Apr
[15:05] < codec> binford2k: curl -s https://apt.puppetlabs.com/dists/xenial/Release | grep Date

Comment by Rob Braden [ 2017/04/27 ]

Apologies for the inconvenience: I think we had some bad metadata cached in our CDN, we have refreshed the cache and it does seem to be working now (for me), can someone verify?

Comment by Daniel Lehmann [ 2017/04/27 ]

Works for me!
Thx

Comment by Benjamin HENRION [ 2017/04/27 ]

Works for me now. I was waiting for Portland to wake up it seems...

Comment by Pegerto Fernandez [ 2017/04/27 ]

Rob Braden: Thank you very much for the update.

Comment by Dirk Melchers [ 2017/04/27 ]

Another here! Thanks for the quick fix!

Comment by David Brůha [ 2017/04/27 ]

Works here as well, thank you very much!

Generated at Thu Feb 27 00:52:56 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.