如何处理 apt-get 中的“无效签名”

如何处理 apt-get 中的“无效签名”

在更新 Focal 之后,我必须重新访问 /etc/apt/sources* 来更新我的第三方存储库。

其中一个存储库适用于 Yorba PPA,位于:https://launchpad.net/~yorba/+archive/ubuntu/ppa

不幸的是,我无法再从该存储库进行更新:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

好的,让我们尝试解决这个问题——首先删除我已经拥有的密钥:

$ sudo rm -f /etc/apt/trusted.gpg.d/yorba_ubuntu_ppa.gpg
$ sudo apt-get update
[..truncated..]

W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 10975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

接下来从 ubuntu 密钥服务器再次获取密钥:

$ sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
Executing: /tmp/apt-key-gpghome.RKi7hJu0jl/gpg.1.sh --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
gpg: key 10975893E549B1AC: public key "Launchpad yorba" imported
gpg: Total number processed: 1
gpg:               imported: 1

现在一切都应该准备就绪了,对吧?错了。结果和我们开始时一样:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

有人知道我做错了什么吗?Yorba PPA 有什么根本性问题吗?

-迈克尔

答案1

Yorba PPA 是否存在根本性问题?

除了它是古董之外?......没有。

嗯,这正是问题所在。

请注意签名本身是可以的:

% gpg --no-default-keyring --keyring ./key.gpg --verify Release.gpg Release
gpg: Signature made Tue 31 Mar 2015 07:20:40 JST
gpg:                using RSA key 10975893E549B1AC
gpg: Good signature from "Launchpad yorba" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 90B0 64CA E4CB A8A6 C34F  04D1 1097 5893 E549 B1AC

但其制作方式已不再适用:

% gpg --list-packets Release.gpg                                           
# off=0 ctb=88 tag=2 hlen=2 plen=156
:signature packet: algo 1, keyid 10975893E549B1AC
    version 4, created 1427754040, md5len 0, sigclass 0x00
    digest algo 2, begin of digest e2 e8
    hashed subpkt 2 len 4 (sig created 2015-03-30)
    subpkt 16 len 8 (issuer key ID 10975893E549B1AC)
    data: [1018 bits]

digest algo 2是 SHA-1,它不再被认为是安全的,现在Release使用 SHA-1 进行签名时出错

这不是什么新鲜事。在 16.04 中就已经有警告了 (如何修复 apt:密钥签名使用弱摘要算法(SHA1)?):

# apt update
...
W: http://ppa.launchpad.net/yorba/ppa/ubuntu/dists/vivid/Release.gpg: Signature by key 90B064CAE4CBA8A6C34F04D110975893E549B1AC uses weak digest algorithm (SHA1)

并且在 18.04 中返回与 20.04 中相同的错误。

答案2

您可以简单地禁用此 PPA因为它没有为您的 Ubuntu 20.04 LTS 版本提供软件包。

使用

sudo add-apt-repository -r ppa:yorba/ppa

然后sudo apt-get updatesudo apt-get upgrade往常一样运行。

相关内容