我的私人软件包存储库在 Ubuntu 14 LTS 中验证成功,但在 Ubuntu 18 LTS 中验证失败。
我未能找到导致不同行为的 Ubuntu 版本之间的差异。
# Hostname, User, Password, Directory, Distribution, Component and Signature are my
# private values in the following code snippets:
apt-get update
Err:2 http://Hostname/Directory Distribution InRelease
The following signatures were invalid: Signature
适当配置:
cat /etc/apt/sources.list.d/Distribution.list
deb [arch=amd64] http://User:Password@Hostname/Directory/ Distribution Component
下载InRelease文件并手动验证其签名成功(Ubuntu 14 和 Ubuntu 18 上的结果相同):
wget --server-response -O- http://User:Password@Hostname/Directory/dists/Distribution/InRelease > ./InRelease
gpg --verify --keyring /etc/apt/trusted.gpg.d/Distribution.gpg ./InRelease
gpg: Signature made ...
gpg: using RSA key ...
gpg: Good signature from "..." [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: SameSignatureAsInTheAptGetOutputAbove
我该如何调试以找到根本原因?
答案1
错误是由于 Ubuntu 18 的新版本默默拒绝不安全的 SHA-1 签名而导致的。apt似乎都gpg无法apt对过时的签名算法给出明确的警告。(如果有人知道如何产生这样的警告,请在此处发表评论。)
解决方法是将其放入digest-algo sha256包~/.gnupg/gpg.conf构建aptly服务器。在https://github.com/aptly-dev/aptly/pull/366apt。生成的 SHA-256 签名与 Ubuntu 14 和 18兼容。
长期解决方案是升级aptly构建存储库的版本。