[Bug 1694474] Re: [cloud-archive] GPG signature invalid: BADSIG

Corey Bryant corey.bryant at canonical.com
Thu Oct 19 21:08:23 UTC 2017 

Hello Rafael,

Thank you for reporting this bug.

Following is a short summary of what bug #1657440 describes.

There's an hourly window when the UCA is being updated. An apt update
call during this window causes the Release file to be downloaded and
Release.gpg file to not be downloaded. The missing Release.gpg file
causes the "unauthenticated" packages.

According to bug #1657440 this issue has been partially fixed back to
xenial. The missing Release.gpg file issue still exists, however, prior
to the fix to apt in bug #1657440, the missing Release.gpg issue would
not correct until an hour had passed and another apt update was run. At
this point, an ensuing apt update call apparently resolves the issue.

So bottom line, there is still an issue but it is at least resolvable
with an ensuing apt update.

There are scripts to recreate in bug #1657440.

And here is the patch to apt for reference:
https://github.com/Debian/apt/commit/2a6d2e9c0781a0a7bb5d2aad7b8bdbee315d4461

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1694474

Title:
  [cloud-archive] GPG signature invalid: BADSIG

Status in Ubuntu Cloud Archive:
  New

Bug description:
  
  Summary
  =======
  UCA returns GPG error (BADSIG) on minute 50-59 (fifity-something), so it fails to install "unauthenticated" packages.

  There might be a cron job running on UCA repo within 50-59 min of each
  hour? Or perhaps a maintenance script that is causing GPG keys to be
  invalid during that short time ?

  This is OK when running manually, so you can retry minutes later and
  it works. However, It impacts OpenStack CI, which runs 24x7 per-patch
  basis jobs, in an automated and atomically way.

  Note: We observed that this happens always in the minute 50-59, and
  has not happened in a minute out of this range (0-49).

  Note2: This could be reproduced out of our labs (At Unicamp's Mini
  cloud for example), in a totally different network.

  Note3: Allowing unauthenticated packages is not desired.

  Arch=ppc64le
  Ubuntu=Xenial
  UCA=Ocata

  
  Steps to reproduce
  ==================
  - On a ppc64le machine (Power8), running xenial
  - at min 50-59 (fifty-something), add UCA repo (Ubuntu Cloud Archive)
  $ sudo add-apt-repository -y cloud-archive:ocata
  - Update apt repos
  $ sudo apt-get update
  - GPG error (BADSIG) is seen
  GPG error: http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release: The following signatures were invalid: BADSIG 5EDB1B62EC4926EA Canonical Cloud Archive Signing Key <ftpmaster at canonical.com>
  - install openvswitch-switch
  $ sudo apt-get install openvswitch-switch
  E: There were unauthenticated packages and -y was used without --allow-unauthenticated

  
  Output
  ======
  2017-05-25 16:50:47.324 | ++ functions-common:apt_get_update:1050     :   timeout 300 sh -c 'while ! sudo http_proxy= https_proxy= no_proxy=  apt-get update; do sleep 30; done'
  2017-05-25 16:50:47.551 | Ign:1 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata InRelease
  2017-05-25 16:50:47.561 | Hit:2 http://ports.ubuntu.com/ubuntu-ports xenial InRelease
  2017-05-25 16:50:47.639 | Get:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release [7882 B]
  2017-05-25 16:50:47.643 | Get:4 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release.gpg [543 B]
  2017-05-25 16:50:47.652 | Hit:5 http://ports.ubuntu.com/ubuntu-ports xenial-updates InRelease
  2017-05-25 16:50:47.742 | Hit:6 http://ports.ubuntu.com/ubuntu-ports xenial-backports InRelease
  2017-05-25 16:50:47.824 | Ign:4 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release.gpg
  2017-05-25 16:50:47.835 | Hit:7 http://ports.ubuntu.com/ubuntu-ports xenial-security InRelease
  2017-05-25 16:50:47.916 | Get:8 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata/main ppc64el Packages [145 kB]
  2017-05-25 16:50:47.990 | Fetched 154 kB in 0s (240 kB/s)
  2017-05-25 16:50:48.647 | Reading package lists...
  2017-05-25 16:50:48.676 | W: GPG error: http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release: The following signatures were invalid: BADSIG 5EDB1B62EC4926EA Canonical Cloud Archive Signing Key <ftpmaster at canonical.com>
  2017-05-25 16:50:48.676 | W: The repository 'http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release' is not signed.

  
  ...

  2017-05-25 16:51:50.654 | + functions-common:real_install_package:1263 :   apt_get install fakeroot make openvswitch-switch
  2017-05-25 16:51:50.672 | + functions-common:apt_get:1076            :   sudo DEBIAN_FRONTEND=noninteractive http_proxy= https_proxy= no_proxy= apt-get --option Dpkg::Options::=--force-confold --assume-yes install fakeroot make openvswitch-switch
  2017-05-25 16:51:50.709 | Reading package lists...
  2017-05-25 16:51:50.834 | Building dependency tree...
  2017-05-25 16:51:50.835 | Reading state information...
  2017-05-25 16:51:50.934 | fakeroot is already the newest version (1.20.2-1ubuntu1).
  2017-05-25 16:51:50.934 | fakeroot set to manually installed.
  2017-05-25 16:51:50.934 | make is already the newest version (4.1-6).
  2017-05-25 16:51:50.934 | The following NEW packages will be installed:
  2017-05-25 16:51:50.934 |   openvswitch-common openvswitch-switch python-six
  2017-05-25 16:51:50.946 | 0 upgraded, 3 newly installed, 0 to remove and 14 not upgraded.
  2017-05-25 16:51:50.946 | Need to get 2047 kB of archives.
  2017-05-25 16:51:50.946 | After this operation, 12.0 MB of additional disk space will be used.
  2017-05-25 16:51:50.946 | WARNING: The following packages cannot be authenticated!
  2017-05-25 16:51:50.946 |   openvswitch-common openvswitch-switch
  2017-05-25 16:51:50.947 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated

  Logs taken from:
  http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/nova/67/465767/5/check/tempest-dsvm-full-xenial/fcf1cea/devstacklog.txt.gz
  ***This log expires

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1694474/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list