Opened 5 years ago

Closed 5 years ago

#862 closed defect (fixed)

Ubuntu Trusty Release.gpg contains random data

Reported by: JohannesEbke@… Owned by:
Priority: minor Milestone:
Component: nginx-package Version:
Keywords: Cc:
uname -a:
nginx -V: Irrelevant

Description

Hello,

I tried to update recently from the ubuntu packages, and it seems to me that

http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg

contains seemingly random data instead of the expected gpg signature. apt-get update fails to interpret the file as well.

I sincerely hope that this is not security-relevant data or indicates an attack on the nginx.org package server, but in case it is, I have opened this issue with high priority.

Cheers,
Johannes Ebke

Change History (5)

comment:1 by thresh, 5 years ago

Hello,

Release.gpg is expected to contain non-armored signature.

$ sha256sum Release.gpg
33f5cd69379d9913b97d7ed0c785349c9f3d02fa12087915c112bef6f95341d1 Release.gpg

Can you show how apt errors out on you? Tests here show the file is just fine.

Thanks!

comment:2 by JohannesEbke@…, 5 years ago

Sorry, I just re-tested it with a proper apt and realized the errors I was seeing came from Aptly (http://www.aptly.info/). I openend some other Release.gpg up and they are all ASCII-Armored, e.g. https://get.docker.io/ubuntu/dists/docker/Release.gpg so I was not expecting an unarmored signature.

I will file a bug with aptly that they also work with unarmored signatures.
Thank you for the quick response!

For reference and others who might google this error:

Updating mirror nginx-repo...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/InRelease...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/Release...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg...
ERROR: unable to update: malformed stanza syntax

comment:3 by thresh, 5 years ago

Component: othernginx-package
Priority: blockerminor
Resolution: invalid
Status: newclosed

No worries.

comment:4 by martinhoefling@…, 5 years ago

Resolution: invalid
Status: closedreopened

The actual issue has not been resolved.

There seem to be missing colons in the Release file.

c.f. https://github.com/smira/aptly/issues/328

Last edited 5 years ago by martinhoefling@… (previous) (diff)

comment:5 by Andrei Belov, 5 years ago

Resolution: fixed
Status: reopenedclosed

Fixed, thanks for spotting this.

Note: See TracTickets for help on using tickets.