Possible bug: The temurin jdk repo fails to sync when checking gpg for InRelease file. Checking Release + Release.gpg instead works.

[JamesXNelson]

I'm not sure if this is something weird w/ repomanager, or if temurin/artifactory ( https://packages.adoptium.net/artifactory/deb ) is serving something non-standard somehow, but nothing I could do would get gpg to verify the InRelease file, whereas swapping the check to look at Release + Release.gpg works fine.

I edited this if/else here: https://github.com/lbr38/repomanager/blob/stable/www/controllers/Repo/Mirror/Deb.php#L459-L463

Swapping the order, and now I can sync temurin ubuntu repos w/out failure.

The error message it printed:

No GPG key could verify the signature of downloaded file /home/repo/download-mirror-temurin-focal-focal-main-1714787951/InRelease: 
gpgv: can't allocate lock for '/var/lib/repomanager/.gnupg/trustedkeys.gpg'
gpgv: Signature made Mon Apr 29 15:58:20 2024 UTC
gpgv:                using RSA key 843C48A565F8F04B
gpgv: BAD signature from "Adoptium GPG Key (DEB/RPM Signing Key) "

I saw similar issues trying to run gpgv locally on the downloaded files, with the temurin / adoptium key added to /var/lib/repomanager/.gnupg and set to ultimate trust.

[lbr38]

Hi

This is a weird error, first time I'm seeing this.

I tried on my side and got the same error, but I really think the problem is on Adoptium side, their InRelease file seems to be either corrupted or not properly signed.

Also tried this on my workstation:

Downloaded the InRelease file:

wget https://packages.adoptium.net/artifactory/deb/dists/focal/InRelease

Imported GPG public key from Adoptium (following https://adoptium.net/fr/installation/linux/)

wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null

Checked GPG signature of InRelease file:

gpg --verify --keyring /etc/apt/trusted.gpg.d/adoptium.gpg InRelease

gpg: Signature made lun. 29 avril 2024 17:58:20 CEST
gpg:                using RSA key 843C48A565F8F04B
gpg: BAD signature from "Adoptium GPG Key (DEB/RPM Signing Key) <temurin-dev@eclipse.org>" [unknown]

The file has been signed on 29th of April 2024, which is recent. May be could you contact Adoptium and see if they can investigate on their side and tell us why gpg returns this error.

If we are 100% sure that the problem is not on their side, then I'll investigate to find a workaround.

Thanks

[JamesXNelson]

I'm pretty sure the problem is on their side. I'll open a ticket there.

They also have a few rpms that aren't signed, so in order to sync, I have to bypass validation, which sucks. At least w/ deb I could get the Release file signature checked.

[JamesXNelson]

Confirmed. I found the ticket they had logged; it's artifactory's fault ultimately, so unless someone comes up w/ a workaround to update the InRelease after the fact, there's not a lot to do here.

I suppose, in theory, we could mod this project to try the first source and then try the second? It's ...not great to ignore such things, but it's even worse to not be able to mirror a repo that you hit too hard and get blocked from ^-^

[lbr38]

Hello

Please update your docker image to the latest version 4.1.0

You will be able to skip Release file with invalid signature by using the When Release file signature is invalid setting from the SETTINGS tab.

Let me know if it's all good.

Thanks!

[lbr38]

I guess this is OK

Closing