My private package repository verifies OK in Ubuntu 14 LTS but fails verification in Ubuntu 18 LTS.
I failed to find the difference in the Ubuntu releases that causes the differerent behavior.
# Hostname, User, Password, Directory, Distribution, Component and Signature are my
# private values in the following code snippets:
apt-get update
Err:2 http://Hostname/Directory Distribution InRelease
The following signatures were invalid: Signature
apt configuration:
cat /etc/apt/sources.list.d/Distribution.list
deb [arch=amd64] http://User:Password@Hostname/Directory/ Distribution Component
Downloading the InRelease file and verifying its signature manually succeeds (same result on Ubuntu 14 and Ubuntu 18):
wget --server-response -O- http://User:Password@Hostname/Directory/dists/Distribution/InRelease > ./InRelease
gpg --verify --keyring /etc/apt/trusted.gpg.d/Distribution.gpg ./InRelease
gpg: Signature made ...
gpg: using RSA key ...
gpg: Good signature from "..." [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: SameSignatureAsInTheAptGetOutputAbove
How can I debug this to the root cause ?
Error is caused by the silent rejection of insecure SHA-1 signatures in the new
aptversion in Ubuntu 18. It seems that neithergpgnoraptare able to give an explicit warning about the outdated signature algorithm. (If anybody knows how to produce such a warning, please comment here.)Workaround is to put
digest-algo sha256into~/.gnupg/gpg.confat theaptlypackage build server. Found on https://github.com/aptly-dev/aptly/pull/366. The SHA-256 signatures produced are compatible toaptin Ubuntu 14 and 18.Long-term solution is to upgrade the
aptlyversion that builds the repository.