Opened 9 years ago
Closed 9 years ago
#862 closed defect (fixed)
Ubuntu Trusty Release.gpg contains random data
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-package | Version: | |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: | Irrelevant |
Description
Hello,
I tried to update recently from the ubuntu packages, and it seems to me that
http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg
contains seemingly random data instead of the expected gpg signature. apt-get update fails to interpret the file as well.
I sincerely hope that this is not security-relevant data or indicates an attack on the nginx.org package server, but in case it is, I have opened this issue with high priority.
Cheers,
Johannes Ebke
Change History (5)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Sorry, I just re-tested it with a proper apt and realized the errors I was seeing came from Aptly (http://www.aptly.info/). I openend some other Release.gpg up and they are all ASCII-Armored, e.g. https://get.docker.io/ubuntu/dists/docker/Release.gpg so I was not expecting an unarmored signature.
I will file a bug with aptly that they also work with unarmored signatures.
Thank you for the quick response!
For reference and others who might google this error:
Updating mirror nginx-repo...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/InRelease...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/Release...
Downloading http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg...
ERROR: unable to update: malformed stanza syntax
comment:3 by , 9 years ago
Component: | other → nginx-package |
---|---|
Priority: | blocker → minor |
Resolution: | → invalid |
Status: | new → closed |
No worries.
comment:4 by , 9 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
The actual issue has not been resolved.
There seem to be missin colons in the Release file.
comment:5 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Fixed, thanks for spotting this.
Hello,
Release.gpg is expected to contain non-armored signature.
$ sha256sum Release.gpg
33f5cd69379d9913b97d7ed0c785349c9f3d02fa12087915c112bef6f95341d1 Release.gpg
Can you show how apt errors out on you? Tests here show the file is just fine.
Thanks!