我的私有包存储库在 Ubuntu 14 LTS 中验证正常,但在 Ubuntu 18 LTS 中验证失败。
我没有找到导致不同行为的 Ubuntu 版本的差异。
# Hostname, User, Password, Directory, Distribution, Component and Signature are my
# private values in the following code snippets:
apt-get update
Err:2 http://Hostname/Directory Distribution InRelease
The following signatures were invalid: Signature
恰当的配置:
cat /etc/apt/sources.list.d/Distribution.list
deb [arch=amd64] http://User:Password@Hostname/Directory/ Distribution Component
下载InRelease文件并手动验证其签名成功(在 Ubuntu 14 和 Ubuntu 18 上结果相同):
wget --server-response -O- http://User:Password@Hostname/Directory/dists/Distribution/InRelease > ./InRelease
gpg --verify --keyring /etc/apt/trusted.gpg.d/Distribution.gpg ./InRelease
gpg: Signature made ...
gpg: using RSA key ...
gpg: Good signature from "..." [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: SameSignatureAsInTheAptGetOutputAbove
我怎样才能调试到根本原因?
错误是由
aptUbuntu 18 的新版本中对不安全的 SHA-1 签名的无声拒绝引起的。似乎既gpg没有apt也无法对过时的签名算法给出明确的警告。(如果有人知道如何产生这样的警告,请在此处发表评论。)解决方法是放入
digest-algo sha256包~/.gnupg/gpg.conf构建aptly服务器。在https://github.com/aptly-dev/aptly/pull/366上找到。生成的 SHA-256 签名与aptUbuntu 14 和 18 兼容。长期的解决方案是升级
aptly构建存储库的版本。