Bugzilla – Bug 1195603
fails to server debian repos: InRelease file are not downloable
Last modified: 2022-03-21 14:44:21 UTC
i susesfully build packages fro all releases of debian at https://build.opensuse.org/project/monitor/home:vegnuli:deploy-vnx1 but i cannotuse in debian 7 neither 8.. but i have repos inside.. NOTE: i have the key added and all the cert files updates.. in fact the repo "emusgames-1.0" does not fail.. the rest fails due i updates becose of ne builds W: Error de GPG: http://archive.debian.org jessie Release: Las siguientes firmas no fueron válidas: KEYEXPIRED 1587841717 W: Fallo al obtener http://download.opensuse.org/repositories/home:/vegnuli:/system-vnx1/Debian_8.0/InRelease W: Fallo al obtener http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/InRelease W: Fallo al obtener http://download.opensuse.org/repositories/home:/vegnuli:/desktop-vnx1/Debian_8.0/InRelease W: Fallo al obtener http://download.opensuse.org/repositories/home:/vegnuli:/internet-vnx1/Debian_8.0/InRelease W: Fallo al obtener http://download.opensuse.org/repositories/home:/vegnuli:/multimedia-vnx1/Debian_8.0/InRelease W: No se han podido descargar algunos archivos de índice, se han omitido, o se han utilizado unos antiguos en su lugar.
You seem to be giving the output/warning of a program. Please give the command that you are running. Also use "export LC_ALL=C" to switch to English. Additionally you seem to be referring to things that you have configured. Hence please give that configuration as well.
These are the steps (and for you information the languaje are not related, now i konow that you dont use deb repositories): first i setup to ignore and bypass any gpog or certificate checks: cat > /etc/apt/apt.conf.d/40venenux << EOF APT::Install-Recommends "0"; APT::Install-Suggests "0"; APT::Get::AllowUnauthenticated "true"; Acquire::AllowInsecureRepositories "true"; Acquire::AllowDowngradeToInsecureRepositories "true"; Acquire::AllowReleaseInfoChange::Suite "true"; Acquire::Check-Valid-Until "false"; Acquire::Languages "en"; Aptitude::CmdLine::Ignore-Trust-Violations "true"; Acquire::https::download.opensuse.org::Verify-Peer "false"; EOF then update root@trabajo:/# apt-get update Hit http://archive.deb-multimedia.org jessie InRelease Get:1 http://download.opensuse.org InRelease [1615 B] Ign http://download.opensuse.org InRelease Get:2 http://download.opensuse.org InRelease [1647 B] Err http://download.opensuse.org InRelease Ign http://download.opensuse.org Packages/DiffIndex Hit http://archive.deb-multimedia.org jessie/main amd64 Packages Hit http://archive.deb-multimedia.org jessie/non-free amd64 Packages Hit http://archive.deb-multimedia.org jessie/main i386 Packages Hit http://archive.deb-multimedia.org jessie/non-free i386 Packages Hit http://archive.deb-multimedia.org jessie/main Translation-en Hit http://archive.deb-multimedia.org jessie/non-free Translation-en Ign http://download.opensuse.org Translation-en Ign http://download.opensuse.org Translation-es Hit http://download.opensuse.org Packages Fetched 3262 B in 3s (994 B/s) Reading package lists... Done W: GPG error: http://download.opensuse.org InRelease: The following signatures were invalid: KEYEXPIRED 1642625863 W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org InRelease: The following signatures were invalid: KEYEXPIRED 1642625863 W: Failed to fetch http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/InRelease W: Some index files failed to download. They have been ignored, or old ones used instead. root@trabajo:/# after that, update it fails since some weeks ago: apt-get install hwloc libhwloc5 Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: libhwloc-contrib-plugins Recommended packages: libhwloc-plugins The following NEW packages will be installed: hwloc libhwloc5 0 upgraded, 2 newly installed, 0 to remove and 801 not upgraded. 1 not fully installed or removed. Need to get 280 kB of archives. After this operation, 924 kB of additional disk space will be used. Get:1 http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/ libhwloc5 1.11.12-3vnz1 [108 kB] Get:2 http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/ hwloc 1.11.12-3vnz1 [172 kB] Fetched 280 kB in 2s (94.7 kB/s) E: Failed to fetch http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/./amd64/libhwloc5_1.11.12-3vnz1_amd64.deb Size mismatch E: Failed to fetch http://download.opensuse.org/repositories/home:/vegnuli:/deploy-vnx1/Debian_8.0/./amd64/hwloc_1.11.12-3vnz1_amd64.deb Size mismatch E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
(In reply to PICCORO Gerhardo Lenz McKAY from comment #2) > These are the steps (and for you information the languaje are not related, > now i konow that you dont use deb repositories): Bug reporting with non-localized output with full information is pretty standard. Don't touch the priority field.
(In reply to PICCORO Gerhardo Lenz McKAY from comment #2) > first i setup to ignore and bypass any gpog or certificate checks: [...] > W: GPG error: http://download.opensuse.org InRelease: The following > signatures were invalid: KEYEXPIRED 1642625863 [...] > after that, update it fails since some weeks ago: The key expiry timestamp refers to 2022-01-19 20:57:43, 19 days ago. This lines up with "some weeks" ago. This and the messages are more consistent with "bypassing gpg checks" not actually doing what you intended, and apt rejecting the expired key nevertheless. Try osc signkey --extend home:[...] on the project in question and repeat the operation.
(In reply to Andreas Stieger from comment #4) > (In reply to PICCORO Gerhardo Lenz McKAY from comment #2) > > first i setup to ignore and bypass any gpog or certificate checks: > [...] > > W: GPG error: http://download.opensuse.org InRelease: The following > > signatures were invalid: KEYEXPIRED 1642625863 > [...] > with "bypassing gpg checks" not actually doing what you intended, and apt > rejecting the expired key nevertheless. > [...] > Try osc signkey --extend home:[...] on the project in question and repeat > the operation. osc .. i cannot find any osc in the interface.. where are that artifact in the interface? i tried in another host and works pretty good BUT only fresh install.. but in the hosts that already i configured in the past does not work..
(In reply to PICCORO Gerhardo Lenz McKAY from comment #5) > > Try osc signkey --extend home:[...] on the project in question and repeat > > the operation. > > osc .. i cannot find any osc in the interface.. where are that artifact in > the interface? Right. Start here. https://en.opensuse.org/openSUSE:OSC > i tried in another host and works pretty good BUT only fresh install.. but > in the hosts that already i configured in the past does not work.. Please update the bug summary to that effect. Again, suspecting caching of previous keys and your configuration not doing what you expect it to do. Work out what is the minimum difference to trigger this, and report back on that. Setting needinfo for that.
(In reply to Andreas Stieger from comment #6) > (In reply to PICCORO Gerhardo Lenz McKAY from comment #5) > > > Try osc signkey --extend home:[...] on the project in question and repeat > > > the operation. > > > > osc .. i cannot find any osc in the interface.. where are that artifact in > > the interface? > > Right. Start here. https://en.opensuse.org/openSUSE:OSC seems it depends on python3 i have a pre release of python crap.. so then it need external python install so now its too complicated.. the only repository that has that problem is opensuse repos.. i configured MX older ones, deb-multimedia, venenux, archive debian, backports older debian .. no one give probles with expired keys.. > > > i tried in another host and works pretty good BUT only fresh install.. but > > in the hosts that already i configured in the past does not work.. > > Please update the bug summary to that effect. Again, suspecting caching of > previous keys and your configuration not doing what you expect it to do. > > Work out what is the minimum difference to trigger this, and report back on > that. Setting needinfo for that.
I am not sure I see the relevance. Find a way around it, including a vm/chroot with a distro with Python3. To summarize what you need to try to get to reproduction steps: * determine differences of the on-disk data/configuration between the old install and the new install * in particular whether your apt settings affect newly seen keys only or whether a key expiry still invalidates subsequent * finally check if expanding the key lifetime resolves the issue
i tell you that i not using key.. i put a config that must AVOID the check of keys and certificates and about the others machines.. i setup : 1) put the older repo from project vegnuli:/deploy-vnx1 (Debian 8) in some other machines (we have 4) and does not work 2) put the older repo from project vegnuli:/emusgames-1.0 (Debian 8) in some other machines (we have 4) and does work i remenberd you that i put a apt.conf that avoid all checks and gpg and certificates.. so anything from gpg and related must be avoid but only fails in open suse repos.. for rest of repos indluding mx ones works the bypass (In reply to Andreas Stieger from comment #8) > To summarize what you need to try to get to reproduction steps: > > * determine differences of the on-disk data/configuration between the old > install and the new install > * in particular whether your apt settings affect newly seen keys only or > whether a key expiry still invalidates subsequent > * finally check if expanding the key lifetime resolves the issue
Your attempts to disable gpg warnings is not consistent with... well the gpg warnings you are getting.
(In reply to Andreas Stieger from comment #10) > Your attempts to disable gpg warnings is not consistent with... well the gpg > warnings you are getting. Yes, but these only occur for open suse for the repositories that I had not used... for any other repository it works very well... and I have a lot of them in use, at least I have about 20 also noted only happend with Debian 8 and Debian 7 made repos.. for Debian 9 does not happened.. i repeat only happened with open suse repos and we used a lot others
I do not think you are approaching this right. Have fun.
(In reply to Andreas Stieger from comment #12) > I do not think you are approaching this right. Have fun. It's simple, the only repository that fails is the opensuse repository when a version of debian 8 or debian 7 is involved, and it's the first time I've made a request... (a new query request or apt update) the rest work if it's Debian 9, 10 or 11. I guess you guy are forcing all the generated debian repositories version to be gpg forced and as i guess repository gpg signed were not so enforced in those versions.. apt introduced in Debian 9 more checks that in Debian 8 or 7 does not are Open suse is the best service I've tried because it allows me to continue making packages and builds for versions other than the current one, but if I can't take what I build I'm in an ironic situation.
Now it fails with Debian 9.. was working with debian 9 and 10 and now it fails.. due "too many security check" and crypto levels.. puff We used OBS for builds/providing packages for people that cannot upgraded older hardware (not all the world can spend and change hardware so used other versins of OS)... We used so much the Debian 5 to 9 releases and we have many packages in Debian 5, 6, 7, 8 and 9
now stretch does not work.. reporting same errors if i try to updated: W: Failed to fetch http://download.opensuse.org/repositories/home:/vegnuli:/system-vnx1/Debian_9.0/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FF777768A648538 W: Some index files failed to download. They have been ignored, or old ones used instead. i used the options: APT::Get::AllowUnauthenticated "true"; Acquire::AllowDowngradeToInsecureRepositories "true"; Acquire::Check-Valid-Until "false"; Acquire::https::download.opensuse.org::Verify-Peer "false"; Acquire::http::download.opensuse.org::Verify-Peer "false"; those options must paybass the gpg check but it seems does not work with opensuse service
i as working some months ago .. started to fail with wheeze, later jessie and nknow with stretch-- output apt-get -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update Get:32 http://download.opensuse.org/repositories/home:/vegnuli:/system-vnx1/Debian_9.0 InRelease [1558 B] Err:32 http://download.opensuse.org/repositories/home:/vegnuli:/system-vnx1/Debian_9.0 InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FF777768A648538 W: Failed to fetch http://download.opensuse.org/repositories/home:/vegnuli:/system-vnx1/Debian_9.0/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FF777768A648538 W: Some index files failed to download. They have been ignored, or old ones used instead. i reported more detailed at github https://github.com/openSUSE/open-build-service/issues/12333 use the published repository with bypass gpg signatures no matter key are expired or not, by the usage of apt-get -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true -o Acquire::Check-Valid-Until=false -o APT::Get::AllowUnauthenticated=true update command