[Bug 1642386] Re: At least one invalid signature was encountered.

** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1252 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one invalid signature was encountered. To manage

[Bug 1642386] Re: At least one invalid signature was encountered.

This bug was fixed in the package apt - 1.2.18 --- apt (1.2.18) xenial; urgency=high * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) * gpgv: Flush the files

[Bug 1642386] Re: At least one invalid signature was encountered.

Thanks Julian! I tested the apt 1.2.18 packages and found the results far more pleasing: ... Fetched 1,688 kB in 2s (685 kB/s) Reading package lists... Done W: http://mirrors.kernel.org/ubuntu/dists/xenial/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ddebs.gpg

[Bug 1642386] Re: At least one invalid signature was encountered.

Hello Seth, or anyone else affected, Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.18 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1642386] Re: At least one invalid signature was encountered.

** Description changed: + [Summary] + + A regression in apt in Xenial 1.2.15 causes "apt-get update" to fail + with "At least one invalid signature was encountered." if there are + files in /etc/apt/trusted.gpg.d/ that are not readable by the _apt user. + + This has the consequence of getting

[Bug 1642386] Re: At least one invalid signature was encountered.

Notably the first commit just causes the thing to fail silently, the second one makes apt forward the warning on an update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one

[Bug 1642386] Re: At least one invalid signature was encountered.

Uploaded 1.2.17 to xenial-proposed apt (1.2.17) xenial; urgency=medium [ David Kalnischkies ] * apt-key: warn instead of fail on unreadable keyrings (LP: #1642386) * show apt-key warnings in apt update (Closes: 834973) [ Julian Andres Klode ] * test-releasefile-verification:

[Bug 1642386] Re: At least one invalid signature was encountered.

>You can fix your permissions on your trusted.gpg and trusted.gpg.d files in /etc/apt, so that the files are world-readable (chmod ugo+r /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d -R) [or give access to root and _apt via acls]. That has been successful for me. -- You received this bug

[Bug 1642386] Re: At least one invalid signature was encountered.

Thanks for verifying. I should have the final update ready within the next 16-48 hours. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one invalid signature was encountered.

[Bug 1642386] Re: At least one invalid signature was encountered.

Julian, I modified the script.sh to include the following line: sudo LD_LIBRARY_PATH=$PWD/build/bin/ ./build/bin/apt-get update -o Dir::Bin::Apt-Key="$PWD/build/bin/apt-key" -o Dir::Bin::Methods="$PWD/build/bin/methods/" 2>&1 | tee update.log When run from remotes/julian/for-1.2/apt-key I get

[Bug 1642386] Re: At least one invalid signature was encountered.

Julian, looks like you win this year's remote-debugging-via-crystal-ball award! $ find /etc/apt -ls | grep sarnold 2572875 4 -rw--- 1 sarnold sarnold 1740 Mar 23 2016 /etc/apt/trusted.gpg.d/ddebs.gpg Well done :D Thanks -- You received this bug notification because you

[Bug 1642386] Re: At least one invalid signature was encountered.

But of course: If you safely want to get apt 1.2.17 via apt 1.2.15, you have to have correct permissions first - otherwise your old apt won't see the new apt. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1642386] Re: At least one invalid signature was encountered.

You can fix your permissions on your trusted.gpg and trusted.gpg.d files in /etc/apt, so that the files are world-readable (chmod ugo+r /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d -R) [or give access to root and _apt via acls]. You don't have to do that, though - it will start "working" again in

[Bug 1642386] Re: At least one invalid signature was encountered.

Is there something we Xenial users need to do to resolve this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one invalid signature was encountered. To manage notifications

[Bug 1642386] Re: At least one invalid signature was encountered.

OK, the reason this happens is that some of your key files are not readable (I'm not sure, but it might be running as _apt). The commit mentioned introduced a regresssion in that it does not ignore failures from unreadable key files. This was fixed in 1.3~rc3 in commit

[Bug 1642386] Re: At least one invalid signature was encountered.

Ah, apt-key explains it. We did not catch that in the bisect correctly, as I forgot to specify -o Dir::Bin::apt-key=$PWD/build/bin/apt-key :/ This means it is a regression introduced in: commit b515fe3a0012c1f155dbf6a4199e919fec102578 Author: David Kalnischkies Date:

[Bug 1642386] Re: At least one invalid signature was encountered.

Julian, thanks for your patience. I'm not able to offer a shell on the affected machine, so debugging this is just going to have to go at a snail's pace. I read strace and ltrace logs from both 1.2.12-ish and 1.2.15 apt packages and narrowed it down to /usr/bin/apt-key. When I use the

[Bug 1642386] Re: At least one invalid signature was encountered.

Yeah, valgrind is a bit noisy always because we are building the cache in memory before (1) writing it to the disk and the write includes unused regions and (2) we are hashing the entire thing before writing it, including the uninitialised bytes. So that means while we do have a few uninitialized

[Bug 1642386] Re: At least one invalid signature was encountered.

Turns out the valgrind messages aren't regressions either. Here's the older apt packages again which seemed to work okay: ==25043== ==25043== HEAP SUMMARY: ==25043== in use at exit: 13,118,211 bytes in 170,033 blocks ==25043== total heap usage: 626,066 allocs, 456,033 frees, 69,255,845

[Bug 1642386] Re: At least one invalid signature was encountered.

On a whim I ran apt-get update through valgrind: ==22064== ==22064== HEAP SUMMARY: ==22064== in use at exit: 695,606 bytes in 7,018 blocks ==22064== total heap usage: 67,584 allocs, 60,566 frees, 18,503,180 bytes allocated ==22064== ==22064== LEAK SUMMARY: ==22064==definitely lost: 0

[Bug 1642386] Re: At least one invalid signature was encountered.

I reinstalled the latest xenial packages: ii apt 1.2.15 amd64commandline package manager ii apt-transport-https 1.2.15 amd64https download transport for APT ii libapt-inst2.0:amd64 1.2.15 amd64deb

[Bug 1642386] Re: At least one invalid signature was encountered.

The files in partial/ don't look too damning: root@hunt:/var/lib/apt/lists/partial# file * ftp.debian.org_debian_dists_jessie-updates_contrib_source_Sources: empty ftp.debian.org_debian_dists_wheezy-updates_contrib_source_Sources: empty

[Bug 1642386] Re: At least one invalid signature was encountered.

Based on the funny git results, I re-installed the packages: 3243aa899fcf2f09b910b7429eeae6205a71c379a45c0e8e31723836bb094163 apt_1.2.12~ubuntu16.04.1_amd64.deb 5b9a82b1dc1f82fc3655038336d099410d643d5188629aba475050d7f9bd99c3 apt-transport-https_1.2.12~ubuntu16.04.1_amd64.deb

[Bug 1642386] Re: At least one invalid signature was encountered.

What we see from your debug output is that gpgv is not returning any sensible information: Summary: Good: Bad: Worthless: SoonWorthless: NoPubKey: You could try running apt-key verify manually on a few InRelease files (like apt-key verify

[Bug 1642386] Re: At least one invalid signature was encountered.

First thanks for the files. Unfortunately, I can't reproduce it with the files either. It must be a fairly system-specific bug. > HEAD is now at 235347e... Release 1.2.12 > $ make fast > [... with errors] Whoa, if it happens with the 1.2.12 checkout too, then something else seems wrong. I picked

[Bug 1642386] Re: At least one invalid signature was encountered.

I'm skeptical of the git bisect results: $ git checkout cde5b485c9cdf0bfd5b6ea8e4973abe378270e60^ Previous HEAD position was cde5b48... fail instead of segfault on unreadable config files HEAD is now at 235347e... Release 1.2.12 $ make fast Compiling cachefile.cc to

[Bug 1642386] Re: At least one invalid signature was encountered.

And the results of git bisect, thanks for the excellent instruction and script! cde5b485c9cdf0bfd5b6ea8e4973abe378270e60 is the first bad commit commit cde5b485c9cdf0bfd5b6ea8e4973abe378270e60 Author: David Kalnischkies Date: Fri May 20 09:37:24 2016 +0200 fail

[Bug 1642386] Re: At least one invalid signature was encountered.

Tarball of /etc/apt and /var/lib/apt ** Attachment added: "Tarball of /etc/apt and /var/lib/apt" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778362/+files/apt-etc-and-var.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which

[Bug 1642386] Re: At least one invalid signature was encountered.

393c61b8e29bd1923a5fe8abf4690c24e7f498aa8a4f5954a6a87da7d05a0bef apt- etc-and-var.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one invalid signature was

[Bug 1642386] Re: At least one invalid signature was encountered.

sarnold@hunt:/var/lib/apt$ sudo mv lists lists.old sarnold@hunt:/var/lib/apt$ sudo apt-get update Get:1 http://mirrors.kernel.org/ubuntu xenial InRelease [247 kB] Get:2 http://mirrors.kernel.org/ubuntu xenial-updates InRelease [95.7 kB] Get:3

[Bug 1642386] Re: At least one invalid signature was encountered.

apt-get update -o Debug::Acquire::gpgv=1 ** Attachment added: "apt-get update -o Debug::Acquire::gpgv=1" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778350/+files/debug-gpgv -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1642386] Re: At least one invalid signature was encountered.

Oh, you may also want to try moving lists/ out of the way and running apt update again. And perhaps send me a tarball of /var/lib/apt and /etc/apt - then I might have luck reproducing it. If you want to, you could try bisecting this in the apt git repo, starting with git bisect start git bisect

[Bug 1642386] Re: At least one invalid signature was encountered.

Your coworker seems to have caught a crash in appstream, BTW, not in apt. Not sure why the files fail their hashes or have no sections in them, though. ** Changed in: apt (Ubuntu) Assignee: (unassigned) => Julian Andres Klode (juliank) -- You received this bug notification because you are

[Bug 1642386] Re: At least one invalid signature was encountered.

** Changed in: apt (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1642386 Title: At least one invalid signature was encountered. To manage notifications

[Bug 1642386] Re: At least one invalid signature was encountered.

It works perfectly fine for me. Can you re-run this with: -o Debug::Acquire::gpgv=1 ** Changed in: apt (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1642386] Re: At least one invalid signature was encountered.

I was too hasty -- apt appears to still function (e.g. apt-get install expat, apt-get purge expat, installed an expat from the -updates pocket and removed it again). It's just insanely ugly warnings on the apt-get update step, and maybe(?) new lists can't be downloaded. Anyway it's more nuanced

[Bug 1642386] Re: At least one invalid signature was encountered.

The full run, showing apt working a few seconds before it fails, and no errors in dmesg. ** Attachment added: "terminal-log" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778315/+files/terminal-log -- You received this bug notification because you are a member of