主页 / ubuntu / 问题 / 1240263
Accepted
user1283068
Asked: 2020-05-17 06:38:58 +0800 CST

如何在 apt-get 中处理“无效签名”

  • 772

在更新 Focal 之后,我不得不重新访问 /etc/apt/sources* 以更新我的第三方存储库。

Yorba PPA 的存储库之一是:https ://launchpad.net/~yorba/+archive/ubuntu/ppa

不幸的是,我不再能够从该存储库更新:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

好吧,让我们尝试解决这个问题 - 首先删除我已经拥有的密钥:

$ sudo rm -f /etc/apt/trusted.gpg.d/yorba_ubuntu_ppa.gpg
$ sudo apt-get update
[..truncated..]

W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 10975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

接下来,再次从 ubuntu 密钥服务器获取密钥:

$ sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
Executing: /tmp/apt-key-gpghome.RKi7hJu0jl/gpg.1.sh --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
gpg: key 10975893E549B1AC: public key "Launchpad yorba" imported
gpg: Total number processed: 1
gpg:               imported: 1

现在一切都应该好了,对吧?错误的。与我们开始时的结果相同:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

有人知道我在这里做错了什么吗?Yorba PPA 有什么根本性的问题吗?

-迈克尔

updates ppa apt signature

2 个回答

  1. Best Answer

    Yorba PPA 有什么根本性的问题吗?

    除了古董?... 不。

    好吧,这正是这里的问题。

    请注意,签名本身很好:

    % gpg --no-default-keyring --keyring ./key.gpg --verify Release.gpg Release
gpg: Signature made Tue 31 Mar 2015 07:20:40 JST
gpg:                using RSA key 10975893E549B1AC
gpg: Good signature from "Launchpad yorba" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 90B0 64CA E4CB A8A6 C34F  04D1 1097 5893 E549 B1AC

    但它的制作方式不再合适:

    % gpg --list-packets Release.gpg                                           
# off=0 ctb=88 tag=2 hlen=2 plen=156
:signature packet: algo 1, keyid 10975893E549B1AC
    version 4, created 1427754040, md5len 0, sigclass 0x00
    digest algo 2, begin of digest e2 e8
    hashed subpkt 2 len 4 (sig created 2015-03-30)
    subpkt 16 len 8 (issuer key ID 10975893E549B1AC)
    data: [1018 bits]

    digest algo 2是 SHA-1,它不再被认为是安全的,现在使用 SHA-1 进行签名是错误Release的。

    这没有什么新鲜事。这已经是 16.04 中的警告(如何修复 apt:密钥签名使用弱摘要算法(SHA1)?):

    # apt update
...
W: http://ppa.launchpad.net/yorba/ppa/ubuntu/dists/vivid/Release.gpg: Signature by key 90B064CAE4CBA8A6C34F04D110975893E549B1AC uses weak digest algorithm (SHA1)

    并在 18.04 中返回与 20.04 中相同的错误。

    • 1

  2. 您可以简单地禁用此 PPA,因为它不为您的 Ubuntu 20.04 LTS 版本提供软件包。

    利用

    sudo add-apt-repository -r ppa:yorba/ppa

    然后像往常一样运行sudo apt-get updatesudo apt-get upgrade

    • 0

相关问题