-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible bug: The temurin jdk repo fails to sync when checking gpg for InRelease file. Checking Release + Release.gpg instead works. #162
Comments
Hi This is a weird error, first time I'm seeing this. I tried on my side and got the same error, but I really think the problem is on Adoptium side, their InRelease file seems to be either corrupted or not properly signed. Also tried this on my workstation: Downloaded the InRelease file:
Imported GPG public key from Adoptium (following https://adoptium.net/fr/installation/linux/)
Checked GPG signature of InRelease file:
The file has been signed on 29th of April 2024, which is recent. May be could you contact Adoptium and see if they can investigate on their side and tell us why gpg returns this error. If we are 100% sure that the problem is not on their side, then I'll investigate to find a workaround. Thanks |
I'm pretty sure the problem is on their side. I'll open a ticket there. They also have a few rpms that aren't signed, so in order to sync, I have to bypass validation, which sucks. At least w/ deb I could get the Release file signature checked. |
Confirmed. I found the ticket they had logged; it's artifactory's fault ultimately, so unless someone comes up w/ a workaround to update the InRelease after the fact, there's not a lot to do here. I suppose, in theory, we could mod this project to try the first source and then try the second? It's ...not great to ignore such things, but it's even worse to not be able to mirror a repo that you hit too hard and get blocked from ^-^ |
Hello Please update your docker image to the latest version You will be able to skip Release file with invalid signature by using the Let me know if it's all good. Thanks! |
I guess this is OK Closing |
I'm not sure if this is something weird w/ repomanager, or if temurin/artifactory ( https://packages.adoptium.net/artifactory/deb ) is serving something non-standard somehow, but nothing I could do would get gpg to verify the
InRelease
file, whereas swapping the check to look at Release + Release.gpg works fine.I edited this if/else here: https://github.com/lbr38/repomanager/blob/stable/www/controllers/Repo/Mirror/Deb.php#L459-L463
Swapping the order, and now I can sync temurin ubuntu repos w/out failure.
The error message it printed:
I saw similar issues trying to run gpgv locally on the downloaded files, with the temurin / adoptium key added to
/var/lib/repomanager/.gnupg
and set to ultimate trust.The text was updated successfully, but these errors were encountered: