[Bug 1553121] Re: Xenial preseed fails to load key for 3rd party repo with apt-setup/local0/key
Lars Kollstedt
lk at man-da.de
Mon May 2 21:24:30 UTC 2016
On Monday, 2. May 2016, 16:13:37 I wrote:
> As far as I know ~anders-kaseorg should be right in Bug #1556666. The
> keys are statically imported to the trusted-Keychain. The SHA-1 o
> signature isn't used for any verification in any apt mechanisms I know.
> For this reason the warning in the output of apt-get update should be
> more than enough.
On Monday, 2. May 2016, 18:14:00 I wrote:
> | W:
[...]
> | Signature by key 882F7199B20F94BD7E3E690EFADD8D64B1275EA3 uses
> | weak digest algorithm (SHA1)
On Monday, 2. May 2016, 18:14:00 I wrote:
> IMHO for nothing!
Hi all,
another correction to the backgrounds of the SHA-1 stuff. Someting missleads me
the SHA-1 signature on the key to be the security issue.
It's the signature in the Release.gpg / InRelease file that causes the issue.
For more details:
http://www.cs.umd.edu/~jkatz/papers/pgp-attack.pdf
Exchanging the Key would be usefull to make old signatures worthless for
future attacks. But the key itself is not / or at least should not be the
cause of this message. ;-)
That would mean that the lines in gpg.conf should probably fix that, if
exchanging the key is not an option. If you're doing this, you must hope
nobody can find old signatures of your key.
An hash collision atack (the length attack is a special case of this) isn't an
easy attack, but for distributing malware as security update via an
compromised or malvious mirror server this isn't impossible someone does.
For this it's reasonable to warn or disable this by default with an error
message.
Now, from background informations back to the bug...
Of course this does'nt change the following...
On Monday, 2. May 2016, 16:13:37 I wrote:
> In our case netboot install failed with a "no suitable kernel found with
> your apt settings" (message text written down from memory), when our
> internal software repository was included to bootstrap our deployment
> environment.
[...]
> IMHO this should at least be catched with a propper error message.
On Monday, 2. May 2016, 18:14:00 I wrote:
> Or people are simply
> deploying the repository URL via preseed and get weired errors, now.
>
> At least the last case *should* be fixed, since this will burn a lot of
> time.
And I didn't mean my time, I know this Bug, now. ;-) :-D
As mentioned in my previos messages, I tried to find the lines causing this but
without success, or at least without being able to reproduce this with the
eqations of the binarys in an usual xenial installation (the scripts would
IMHO run with the udeb eqations of gpgv and apt-get - I asummed they're
behaving equally but do they?).
This is'nt really easy to trobleshoot because there are mutiple special
packages for installation and bootstraping playing together. ;-)
Kind regards,
Lars
--
man-da.de GmbH, AS8365 Phone: +49 6151 16-71027
Mornewegstraße 30 Fax: +49 6151 16-71198
D-64293 Darmstadt e-mail: lk at man-da.de
Geschäftsführer Marcus Stögbauer AG Darmstadt, HRB 94 84
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1553121
Title:
Xenial preseed fails to load key for 3rd party repo with apt-
setup/local0/key
Status in apt-setup package in Ubuntu:
Confirmed
Status in base-installer package in Ubuntu:
Confirmed
Bug description:
I have an automated preseed installation that uses these lines to add
custom repos during the installation:
d-i apt-setup/local0/repository string deb http://jschule.github.io/ubuntu/ /
d-i apt-setup/local0/comment string JTS local repository
d-i apt-setup/local0/source boolean false
d-i apt-setup/local0/key string http://jschule.github.io/ubuntu/repo.key
d-i apt-setup/local1/repository string deb http://dl.google.com/linux/chrome/deb/ stable main
d-i apt-setup/local1/comment string Google Chrome Browser
d-i apt-setup/local1/source boolean false
d-i apt-setup/local1/key string http://dl.google.com/linux/linux_signing_key.pub
(seehttps://github.com/jschule/ubuntu/blob/d46f1cef49ed71dc4bfe317119cccd3f39097ef4/preseed/jts.txt
for complete preseed file that causes the problem).
In xenial the installation fails because the GPG key for the local0
repo is not loaded into the system so that it can be used (see
screenshot). Strangely, "chroot /target apt-key list" shows the key
9E62229E to be installed.
Just to be sure that there is no problem with my repo and key I
started the Xenial live CD and installed my repo there manually. All
works well. IMHO this shows that the problem is clearly related to the
automated installation with preseed.
Maybe this is related to #1512347, that was the only thing I could
find on Launchpad that is in the same area.
If you want to reproduce this then you can checkout the scripts from
https://github.com/jschule/ubuntu/tree/gh-pages/qemu and run "./run.sh
xenial" to start my installation.
I found a very ugly workaround by changing the apt-setup lines to
this:
d-i apt-setup/local0/repository string deb http://archive.canonical.com/ubuntu trusty partner
d-i apt-setup/local0/source boolean false
d-i apt-setup/local1/repository string deb http://jschule.github.io/ubuntu/ /
d-i apt-setup/local1/comment string JTS local repository
d-i apt-setup/local1/source boolean false
d-i apt-setup/local1/key string http://jschule.github.io/ubuntu/repo.key
d-i apt-setup/local2/repository string deb http://dl.google.com/linux/chrome/deb/ stable main
d-i apt-setup/local2/comment string Google Chrome Browser
d-i apt-setup/local2/source boolean false
d-i apt-setup/local2/key string http://dl.google.com/linux/linux_signing_key.pub
I suppose that the workaround works because now the local0 repo is one
where the signing key is already part of Ubuntu. I just hope that
there is no package in the trusty partner repo that is not also in the
xenial partner repo.
For me it is very important that you fix this bug before 16.04 is
released so that I can continue to use Ubuntu with an automated setup.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-setup/+bug/1553121/+subscriptions
More information about the foundations-bugs
mailing list