Hi Cyprien Thank you very much for this. I guess this could even be a candidate for a point release.
Do I understand correctly that the file is "InRelease" and not "InRelease.gpg". If that is the case, the patch looks good. Cheers // Ola On Tue, 12 Sept 2023 at 18:09, Cyprien Nicolas <cypr...@octopuce.fr> wrote: > Package: debarchiver > Version: 0.11.7 > Severity: important > Tags: patch > > Dear Maintainer, > > We use debarchiver for a company repository, and since we started > upgrading our servers to Bookworm, our hosts fail to verify our > repository: > > W: Pas d'entrée de hachage dans le fichier Release > /var/lib/apt/lists/partial/debian.octopuce.fr_octopuce_dists_bookworm_Release > E: Le dépôt http://debian.octopuce.fr/octopuce bookworm Release ne > fournit que de faibles informations de sécurité. > > Sorry for the French, I no longer have the full LC_ALL=C output, the > first one said "No Hash entry in Release file", and the second one > someting about "weak security". > > With respect to #825123, we checked our signing key (rsa2048) and the > default signature algorithm (sha256) but the issue is unreleated. > > We found out that the InRelease file is not generated by > debarchiver. We patched debarchiver to do so, along with the > Release.gpg file, and now the repository is verified. > > I'm not sure how to add patches with reportbug yet, so I put it inline > here: > > -*- Patch Begins here -*- > --- debarchiver.orig 2021-09-07 15:10:31.000000000 +0200 > +++ debarchiver 2023-09-12 17:23:12.171618835 +0200 > @@ -1302,17 +1302,26 @@ > 3); > if ($gpgkey) { > unlink("$path/Release.gpg"); > + unlink("$path/InRelease"); > if ($gpgpassfile) { > cmdaction("cat $gpgpassfile | gpg --batch --no-tty -a -b -s -u > $gpgkey " . > "--pinentry-mode loopback --passphrase-fd 0 -o > $path/Release.gpg $path/Release", > "Sign Release file for $path with key '$gpgkey'", > 3); > + cmdaction("cat $gpgpassfile | gpg --batch --no-tty --clearsign > -u $gpgkey " . > + "--pinentry-mode loopback --passphrase-fd 0 -o > $path/InRelease $path/Release", > + "Sign InRelease file for $path with key '$gpgkey'", > + 3); > } > else { > cmdaction("gpg -a -b -s -u $gpgkey " . > "-o $path/Release.gpg $path/Release", > "Sign Release file for $path with key '$gpgkey'", > 3); > + cmdaction("gpg --clearsign -u $gpgkey " . > + "-o $path/InRelease $path/Release", > > + "Sign InRelease file for $path with key '$gpgkey'", > + 3); > } > } > unlink("$configpath"); > -*- Patch Ends here -*- > > Kind regards, > Cyprien > > -- System Information: > Debian Release: 12.1 > APT prefers stable-security > APT policy: (500, 'stable-security'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 6.1.0-11-amd64 (SMP w/16 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE > not set > Shell: /bin/sh linked to /usr/bin/bash > Init: systemd (via /run/systemd/system) > > Versions of packages debarchiver depends on: > ii adduser 3.134 > ii apt-utils 2.6.1 > ii dpkg-dev 1.21.22 > ii opalmod 0.2.2.1 > > Versions of packages debarchiver recommends: > ii mailutils [mailx] 1:3.15-4 > ii postfix [mail-transport-agent] 3.7.6-0+deb12u2 > > Versions of packages debarchiver suggests: > pn devscripts <none> > ii gnupg 2.2.40-1.1 > > -- Configuration Files: > /etc/cron.d/debarchiver changed: > MAILTO="" > */5 * * * * debarchiver /usr/local/bin/debarchiver-patch-inrelease > --scanall -so | logger -t debarchiver -p daemon.info > > /etc/debarchiver.conf changed: > $destdir = "/var/www/debian/octopuce/dists"; > $inputdir = "/var/lib/debarchiver/incoming"; > $copycmd = "mv -f"; > $rmcmd = "true"; > $vrfycmd = "dscverify"; > $cinstall = "installed"; > $verifysignatures = 1; > $ignoredestcheck = 0; > $verifysignaturesdistinput = 0; > $bzip = 1; > %distinputdirs = > ( > oldoldoldstable => 'oldoldoldstable', > oldoldstable => 'oldoldstable', > oldstable => 'oldstable', > stable => 'stable', > testing => 'testing', > unstable => 'unstable', > experimental => 'experimental' > ); > @distributions = ('oldoldoldstable', 'oldoldstable','oldstable', 'stable', > 'testing', 'unstable', 'experimental'); > $majordefault = "main"; > %distmapping = > ( > oldoldoldstable => 'stretch', > oldoldstable => 'buster', > oldstable => 'bullseye', > stable => 'bookworm', > testing => 'trixie', > unstable => 'sid', > experimental => 'experimental', > ); > @architectures = ('i386', 'amd64', 'all'); > @sections = ('main', 'contrib', 'non-free'); > @mailtos = ('packa...@octopuce.fr'); > $mailfrom = "debarchi...@debian.octopuce.fr"; > %release = ( 'origin' => "debian.octopuce.fr", > 'label' => "Octopuce official repository", > 'description' => "Octopuce-specific packages official > repository"); > $cachedir = '/var/cache/debarchiver'; > $gpgkey = "AB4B62BCAB86B190C0543F84F83BC4CC8181979A"; > $gpgpassfile = ""; > 1; > > > -- no debconf information > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
