[Bug 1694474] Re: [cloud-archive] GPG signature invalid: BADSIG

Chris MacNaughton 1694474 at bugs.launchpad.net
Fri Sep 4 08:16:37 UTC 2020 

I believe that this has also been finally resolved with
https://bugs.launchpad.net/cloud-archive/+bug/1772060

** Changed in: cloud-archive
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1694474

Title:
  [cloud-archive] GPG signature invalid: BADSIG

Status in Ubuntu Cloud Archive:
  Fix Released

Bug description:
  
  Summary
  =======
  UCA returns GPG error (BADSIG) on minute 50-59 (fifity-something), so it fails to install "unauthenticated" packages.

  There might be a cron job running on UCA repo within 50-59 min of each
  hour? Or perhaps a maintenance script that is causing GPG keys to be
  invalid during that short time ?

  This is OK when running manually, so you can retry minutes later and
  it works. However, It impacts OpenStack CI, which runs 24x7 per-patch
  basis jobs, in an automated and atomically way.

  Note: We observed that this happens always in the minute 50-59, and
  has not happened in a minute out of this range (0-49).

  Note2: This could be reproduced out of our labs (At Unicamp's Mini
  cloud for example), in a totally different network.

  Note3: Allowing unauthenticated packages is not desired.

  Arch=ppc64le
  Ubuntu=Xenial
  UCA=Ocata

  
  Steps to reproduce
  ==================
  - On a ppc64le machine (Power8), running xenial
  - at min 50-59 (fifty-something), add UCA repo (Ubuntu Cloud Archive)
  $ sudo add-apt-repository -y cloud-archive:ocata
  - Update apt repos
  $ sudo apt-get update
  - GPG error (BADSIG) is seen
  GPG error: http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release: The following signatures were invalid: BADSIG 5EDB1B62EC4926EA Canonical Cloud Archive Signing Key <ftpmaster at canonical.com>
  - install openvswitch-switch
  $ sudo apt-get install openvswitch-switch
  E: There were unauthenticated packages and -y was used without --allow-unauthenticated

  
  Output
  ======
  2017-05-25 16:50:47.324 | ++ functions-common:apt_get_update:1050     :   timeout 300 sh -c 'while ! sudo http_proxy= https_proxy= no_proxy=  apt-get update; do sleep 30; done'
  2017-05-25 16:50:47.551 | Ign:1 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata InRelease
  2017-05-25 16:50:47.561 | Hit:2 http://ports.ubuntu.com/ubuntu-ports xenial InRelease
  2017-05-25 16:50:47.639 | Get:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release [7882 B]
  2017-05-25 16:50:47.643 | Get:4 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release.gpg [543 B]
  2017-05-25 16:50:47.652 | Hit:5 http://ports.ubuntu.com/ubuntu-ports xenial-updates InRelease
  2017-05-25 16:50:47.742 | Hit:6 http://ports.ubuntu.com/ubuntu-ports xenial-backports InRelease
  2017-05-25 16:50:47.824 | Ign:4 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release.gpg
  2017-05-25 16:50:47.835 | Hit:7 http://ports.ubuntu.com/ubuntu-ports xenial-security InRelease
  2017-05-25 16:50:47.916 | Get:8 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata/main ppc64el Packages [145 kB]
  2017-05-25 16:50:47.990 | Fetched 154 kB in 0s (240 kB/s)
  2017-05-25 16:50:48.647 | Reading package lists...
  2017-05-25 16:50:48.676 | W: GPG error: http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release: The following signatures were invalid: BADSIG 5EDB1B62EC4926EA Canonical Cloud Archive Signing Key <ftpmaster at canonical.com>
  2017-05-25 16:50:48.676 | W: The repository 'http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata Release' is not signed.

  
  ...

  2017-05-25 16:51:50.654 | + functions-common:real_install_package:1263 :   apt_get install fakeroot make openvswitch-switch
  2017-05-25 16:51:50.672 | + functions-common:apt_get:1076            :   sudo DEBIAN_FRONTEND=noninteractive http_proxy= https_proxy= no_proxy= apt-get --option Dpkg::Options::=--force-confold --assume-yes install fakeroot make openvswitch-switch
  2017-05-25 16:51:50.709 | Reading package lists...
  2017-05-25 16:51:50.834 | Building dependency tree...
  2017-05-25 16:51:50.835 | Reading state information...
  2017-05-25 16:51:50.934 | fakeroot is already the newest version (1.20.2-1ubuntu1).
  2017-05-25 16:51:50.934 | fakeroot set to manually installed.
  2017-05-25 16:51:50.934 | make is already the newest version (4.1-6).
  2017-05-25 16:51:50.934 | The following NEW packages will be installed:
  2017-05-25 16:51:50.934 |   openvswitch-common openvswitch-switch python-six
  2017-05-25 16:51:50.946 | 0 upgraded, 3 newly installed, 0 to remove and 14 not upgraded.
  2017-05-25 16:51:50.946 | Need to get 2047 kB of archives.
  2017-05-25 16:51:50.946 | After this operation, 12.0 MB of additional disk space will be used.
  2017-05-25 16:51:50.946 | WARNING: The following packages cannot be authenticated!
  2017-05-25 16:51:50.946 |   openvswitch-common openvswitch-switch
  2017-05-25 16:51:50.947 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated

  Logs taken from:
  http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/nova/67/465767/5/check/tempest-dsvm-full-xenial/fcf1cea/devstacklog.txt.gz
  ***This log expires

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1694474/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list