Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.1.12
-
None
-
Debian Testing AMD64
ii libmariadbclient18 10.1.12+maria-1~jessie amd64 MariaDB database client library
ii libmariadbclient-dev 10.1.12+maria-1~jessie amd64 MariaDB database development files
ii libmariadbd-dev 10.1.12+maria-1~jessie amd64 MariaDB embedded database, development files
ii mariadb-client-10.1 10.1.12+maria-1~jessie amd64 MariaDB database client binaries
ii mariadb-client-core-10.1 10.1.12+maria-1~jessie amd64 MariaDB database core client binaries
ii mariadb-common 10.1.12+maria-1~jessie all MariaDB database common files (e.g. /etc/mysql/conf.d/mariadb.cnf)
ii mariadb-server-10.1 10.1.12+maria-1~jessie amd64 MariaDB database server binaries
ii mariadb-server 10.1.12+maria-1~jessie all MariaDB database server (metapackage depending on the latest version)
ii mariadb-server-core-10.1 10.1.12+maria-1~jessie amd64 MariaDB database core server filesDebian Testing AMD64 ii libmariadbclient18 10.1.12+maria-1~jessie amd64 MariaDB database client library ii libmariadbclient-dev 10.1.12+maria-1~jessie amd64 MariaDB database development files ii libmariadbd-dev 10.1.12+maria-1~jessie amd64 MariaDB embedded database, development files ii mariadb-client-10.1 10.1.12+maria-1~jessie amd64 MariaDB database client binaries ii mariadb-client-core-10.1 10.1.12+maria-1~jessie amd64 MariaDB database core client binaries ii mariadb-common 10.1.12+maria-1~jessie all MariaDB database common files (e.g. /etc/mysql/conf.d/mariadb.cnf) ii mariadb-server-10.1 10.1.12+maria-1~jessie amd64 MariaDB database server binaries ii mariadb-server 10.1.12+maria-1~jessie all MariaDB database server (metapackage depending on the latest version) ii mariadb-server-core-10.1 10.1.12+maria-1~jessie amd64 MariaDB database core server files
Description
Hello @ll,
I hope, I have chosen the right project, component, severity, and the like ... If not, feel free to change 
I tried to upgrade my system today as usual with "apt-get update && apt-get upgrade", and got the error message
W: gpgv:/var/lib/apt/lists/ftp.hosteurope.de_mirror_mariadb.org_repo_10.1_debian_dists_jessie_InRelease: The repository is insufficiently signed by key 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB (weak digest)
|
While searching the web for this message, I stumbled upon https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/, where I found a link to wiki.debian.org/Teams/Apt/Sha1Removal. In this wiki page, it says
Fixing broken repositories
Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.
. I would like to ask if it would be possible to fix this bug as fast as possible to be able to use MariaDB's own repository to upgrade to newer versions.
Thanks in advance
Thomas.
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
Hello @ll,
I hope, I have chosen the right project, component, severity, and the like ... If not, feel free to change :) I tried to upgrade my system today as usual with "apt-get update && apt-get upgrade", and got the error message <snip> W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Debian%5f8.0_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest) </snip> While searching the web for this message, I stumbled upon https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/, where I found a link to wiki.debian.org/Teams/Apt/Sha1Removal. In this wiki page, it says <quote> Fixing broken repositories Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256. </quote> . I would like to ask if it would be possible to fix this bug as fast as possible to be able to use MariaDB's own repository to upgrade to newer versions. Thanks in advance Thomas. |
Hello @ll,
I hope, I have chosen the right project, component, severity, and the like ... If not, feel free to change :) I tried to upgrade my system today as usual with "apt-get update && apt-get upgrade", and got the error message {noformat} W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Debian%5f8.0_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest) {noformat} While searching the web for this message, I stumbled upon https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/, where I found a link to wiki.debian.org/Teams/Apt/Sha1Removal. In this wiki page, it says {quote} Fixing broken repositories Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256. {quote} . I would like to ask if it would be possible to fix this bug as fast as possible to be able to use MariaDB's own repository to upgrade to newer versions. Thanks in advance Thomas. |
| Component/s | Packaging [ 10700 ] |
| Assignee | Daniel Bartholomew [ dbart ] |
| Due Date | 2016-04-23 |
| Description |
Hello @ll,
I hope, I have chosen the right project, component, severity, and the like ... If not, feel free to change :) I tried to upgrade my system today as usual with "apt-get update && apt-get upgrade", and got the error message {noformat} W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Debian%5f8.0_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest) {noformat} While searching the web for this message, I stumbled upon https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/, where I found a link to wiki.debian.org/Teams/Apt/Sha1Removal. In this wiki page, it says {quote} Fixing broken repositories Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256. {quote} . I would like to ask if it would be possible to fix this bug as fast as possible to be able to use MariaDB's own repository to upgrade to newer versions. Thanks in advance Thomas. |
Hello @ll,
I hope, I have chosen the right project, component, severity, and the like ... If not, feel free to change :) I tried to upgrade my system today as usual with "apt-get update && apt-get upgrade", and got the error message {noformat} W: gpgv:/var/lib/apt/lists/ftp.hosteurope.de_mirror_mariadb.org_repo_10.1_debian_dists_jessie_InRelease: The repository is insufficiently signed by key 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB (weak digest) {noformat} While searching the web for this message, I stumbled upon https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/, where I found a link to wiki.debian.org/Teams/Apt/Sha1Removal. In this wiki page, it says {quote} Fixing broken repositories Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256. {quote} . I would like to ask if it would be possible to fix this bug as fast as possible to be able to use MariaDB's own repository to upgrade to newer versions. Thanks in advance Thomas. |
| Status | Open [ 1 ] | In Progress [ 3 ] |
required gpg settings: http://askubuntu.com/questions/750133/how-can-i-fix-w-the-repository-is-insufficiently-signed-by-the-key
...which references this post: https://www.debian-administration.org/users/dkg/weblog/48
This is fixed in 10.2, and will be completely fixed in the next releases of 10.0 and 10.1.
The solution was to create a new SHA2 GPG key, and use that for our Sid and Xenial repositories.
The new key has an ID of: C74CD1D8 and the full fingerprint is:
177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8
See the 10.2.0 release notes for more information: https://mariadb.com/kb/en/mariadb/mariadb-1020-release-notes/
| Due Date | 2016-04-23 | 2016-05-14 |
AFAIK this issue is now resolved. Sid and Xenial repositories for 10.0, 10.1, and 10.2 are all signed with the new key.
Reopen if there are issues that have not been resolved.
| Fix Version/s | 10.1.14 [ 21804 ] | |
| Fix Version/s | 10.0.25 [ 21701 ] | |
| Fix Version/s | 10.2.0 [ 20700 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
https://downloads.mariadb.org/mariadb/repositories doesn't list this new key.
Users get an error like follows when installing from the repository:
W: GPG error: http://mirror.netcologne.de/mariadb/repo/10.1/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1656F24C74CD1D8 W: The repository 'http://mirror.netcologne.de/mariadb/repo/10.1/ubuntu xenial InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
|
Please update the instructions.
| Resolution | Fixed [ 1 ] | |
| Status | Closed [ 6 ] | Stalled [ 10000 ] |
Somehow some old instructions were being displayed in the repository configuration tool. They have now been fixed.
Hello Daniel, *,
thanks for your work so far
If I enter the sources.list entry for sid and import the key mentioned in the instruction, it works But, alas, it does not work for stretch. Then I get the same error mentioned in the subject ... 
Thanks anyway, now I have one error message less ... 
Have a nice day
Thomas.
thackert We currently do not have repositories for Debian Stretch. Are you setting up the Sid repository on Stretch?
@Daniel: it seems I have not expressed that well, sorry ... I mean, that I tried to follow the instruction for Debian Jessie (8.x), which did not work. If I follow the instructions for sid (with the key mentioned there as well as the sources.list entry) it works. So yes, I set it up and have now installed MariaDB for sid on Stretch.
I hope, this is a little bit clearer now ... If not, feel free to ask
Have a nice evening
Thomas.
thackert: Yes. Using the Jessie instructions on Stretch will not work, you have to use the Sid instructions. Our Jessie repositories still use the old 0xcbcb082a1bb943db GPG key, not the new 0xF1656F24C74CD1D8 key required by Sid and Stretch.
@dbart: thanks for your explanation Just out of interest: will there be a Stretch repo on a later time as well? And will this use the key for sid or another one?
Have a nice evening
Thomas.
Yes, there will be a Stretch repository eventually. It will use the same key we're now using for Sid.
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Link |
This issue relates to |
| Workflow | MariaDB v3 [ 74644 ] | MariaDB v4 [ 150253 ] |
sorry for the noise copypasted the wrong line ...
Should be
<quote>
W: gpgv:/var/lib/apt/lists/ftp.hosteurope.de_mirror_mariadb.org_repo_10.1_debian_dists_jessie_InRelease: The repository is insufficiently signed by key 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB (weak digest)
</quote>
...