Ubuntu Trusty Release.gpg contains random data

[JohannesEbke@…]

Hello,

I tried to update recently from the ubuntu packages, and it seems to me that

​http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg

contains seemingly random data instead of the expected gpg signature. apt-get update fails to interpret the file as well.

I sincerely hope that this is not security-relevant data or indicates an attack on the nginx.org package server, but in case it is, I have opened this issue with high priority.

Cheers,
Johannes Ebke

[thresh]

Hello,

Release.gpg is expected to contain non-armored signature.

$ sha256sum Release.gpg
33f5cd69379d9913b97d7ed0c785349c9f3d02fa12087915c112bef6f95341d1 Release.gpg

Can you show how apt errors out on you? Tests here show the file is just fine.

Thanks!

[JohannesEbke@…]

Sorry, I just re-tested it with a proper apt and realized the errors I was seeing came from Aptly (​http://www.aptly.info/). I openend some other Release.gpg up and they are all ASCII-Armored, e.g. ​https://get.docker.io/ubuntu/dists/docker/Release.gpg so I was not expecting an unarmored signature.

I will file a bug with aptly that they also work with unarmored signatures.
Thank you for the quick response!

For reference and others who might google this error:

Updating mirror nginx-repo...
Downloading ​http://nginx.org/packages/ubuntu/dists/trusty/InRelease...
Downloading ​http://nginx.org/packages/ubuntu/dists/trusty/Release...
Downloading ​http://nginx.org/packages/ubuntu/dists/trusty/Release.gpg...
ERROR: unable to update: malformed stanza syntax

[thresh]

No worries.

[martinhoefling@…]

The actual issue has not been resolved.

There seem to be missing colons in the Release file.

c.f. ​https://github.com/smira/aptly/issues/328

[Andrei Belov]

Fixed, thanks for spotting this.