X2Go Bug report logs -
#1401
Update GPG key bootstrapping instructions for Debian
Reported by: "Daniel Ullrich" <store@posteo.de>
Date: Sat, 24 Aug 2019 02:40:02 UTC
Severity: normal
Done: Mihai Moldovan <ionic@ionic.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#1401; Package complete x2go repo.
(Sat, 24 Aug 2019 02:40:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Daniel Ullrich" <store@posteo.de>:
New Bug report received and forwarded. Copy sent to owner@bugs.x2go.org.
(Sat, 24 Aug 2019 02:40:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: complete x2go repo
version: none
sudo apt update
The following signatures could not be verified because their public key
is not available: NO_PUBKEY E1F958385BFE2B6E
W: GPG error: http://packages.x2go.org/debian buster InRelease: The
following signatures could not be verified because their public key is
not available: NO_PUBKEY E1F958385BFE2B6E
E: The depot "http://packages.x2go.org/debian buster InRelease" is not
signed.
N: An update from such a repository cannot be done in a secure way, so
it is disabled by default.
N: See the apt-secure(8) manual page for more details on package vault
creation and user configuration.
sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys
--keyserver keys.gnupg.net E1F958385BFE2B6E
gpg: Received from key server failed: The waiting time for the
connection has expired.
x2go-keyring package is not available for debian buster => would solve
this issue!
[Message part 2 (text/html, inline)]
Information forwarded
to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#1401; Package complete x2go repo.
(Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to owner@bugs.x2go.org.
(Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).
Message #10 received at 1401@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reassign -1 packages.x2go.org
> N: An update from such a repository cannot be done in a secure way, so
> it is disabled by default.
The x2go-keyring package is available for Debian buster, includes the required
key file and should work just fine.
However, newer apt versions will disallow downloading from an untrusted repository.
In order to actually install the keyring package, try running something like:
sudo apt-get --allow-unauthenticated install x2go-keyring
Afterwards, sudo apt update should not return an error again. Do not use the
--allow-unauthenticated flag without understanding its implications.
> sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
> Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys
> --keyserver keys.gnupg.net E1F958385BFE2B6E
> gpg: Received from key server failed: The waiting time for the
> connection has expired.
The public key is also available on keyservers. Most keyservers are still
stoned, however, from the attacks that have been carried out a few months ago
and a year ago. For more information, and why this problem is unlike to be fixed
in the first place, refer to
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f for instance.
I cannot fix public keyservers for you.
Like the message said: there was a timeout while fetching the key. It did not
say that such a key does not exist.
Mihai
[signature.asc (application/pgp-signature, attachment)]
No longer marked as found in versions none.
Request was from Mihai Moldovan <ionic@ionic.de>
to 1401-submit@bugs.x2go.org.
(Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.x2go.org, x2go-dev@lists.x2go.org:
Bug#1401; Package packages.x2go.org.
(Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to 1401@bugs.x2go.org:
Extra info received and forwarded to list. Copy sent to x2go-dev@lists.x2go.org.
(Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).
Message #19 received at 1401@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reassign wiki.x2go.org
Control: retitle -1 Update GPG key bootstrapping instructions for Debian
Control: close -1
* On 8/24/19 7:06 PM, Mihai Moldovan wrote:
> Control: reassign -1 packages.x2go.org
>
>
>> N: An update from such a repository cannot be done in a secure way, so
>> it is disabled by default.
>
> The x2go-keyring package is available for Debian buster, includes the required
> key file and should work just fine.
>
> However, newer apt versions will disallow downloading from an untrusted repository.
>
> In order to actually install the keyring package, try running something like:
> sudo apt-get --allow-unauthenticated install x2go-keyring
>
> Afterwards, sudo apt update should not return an error again. Do not use the
> --allow-unauthenticated flag without understanding its implications.
That wasn't correct - at least not completely. --allow-unauthenticated should
work for package installations, but not for downloading repository metadata.
To allow apt to work with unauthenticated repository metadata, users would need
to use something like:
apt-get update --allow-insecure-repositories
This said: this is totally risky, now and later. Installing packages from an
unauthenticated repository doesn't give apt any chance to check the origin. A
successful Man-in-the-Middle attack is very likely in such a scenario. Worse,
even after the initial bootstrap, all subsequent operations and packages from
such a repository could still be malicious.
I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with
this information, big fat warning signs and explanations.
**Users should always bootstrap with the currently valid GPG key and then
install the x2go-keyring package from the validated X2Go repository location!**
Closing up here.
Mihai
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'Update GPG key bootstrapping instructions for Debian' from 'PGP-Key is not available on keyservers for debian buster'.
Request was from Mihai Moldovan <ionic@ionic.de>
to 1401-submit@bugs.x2go.org.
(Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Mihai Moldovan <ionic@ionic.de>
to 1401-submit@bugs.x2go.org.
(Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).
Notification sent
to "Daniel Ullrich" <store@posteo.de>:
Bug acknowledged by developer.
(Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).
Bug reopened
Request was from Mihai Moldovan <ionic@ionic.de>
to control@bugs.x2go.org.
(Thu, 12 Sep 2019 18:05:01 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Mihai Moldovan <ionic@ionic.de>
to control@bugs.x2go.org.
(Thu, 12 Sep 2019 18:05:02 GMT) (full text, mbox, link).
Notification sent
to "Daniel Ullrich" <store@posteo.de>:
Bug acknowledged by developer.
(Thu, 12 Sep 2019 18:05:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org.
(Fri, 11 Oct 2019 05:24:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Fri Apr 26 18:09:52 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
