Packages cannot be authenticated

D43aZ · 16. August 2012

Hello,

When using the update function I get "WARNING: The following packages cannot be authenticated!" followed by a list of packages from the Debian repository. The updater proceeds to instal these packages anyway - is there a way to ensure the packages are authenticated? More importantly, how can I fix the error in the mean time?

Thanks in advance!

D43aZ · 13. Dezember 2012

*bump*. Still seeing this issue

ryecoaaron · 13. Dezember 2012

Which packages could not be authenticated?

D43aZ · 13. Dezember 2012

Zitat von "ryecoaaron"

Which packages could not be authenticated?

Here's apt's history.log for today's unauthenticated upgrades (topic was posted in August):

Zitat von "/var/log/apt/history.log"

Start-Date: 2012-12-13 12:12:44
Commandline: apt-get --yes --force-yes --fix-missing --auto-remove --allow-unauthenticated --show-upgraded --option DPkg::Options::=--force-confnew install perl -modules perl libperl5.10 perl-base
Upgrade: perl:amd64 (5.10.1-17squeeze3, 5.10.1-17squeeze4), perl-base:amd64 (5.1 0.1-17squeeze3, 5.10.1-17squeeze4), perl-modules:amd64 (5.10.1-17squeeze3, 5.10. 1-17squeeze4), libperl5.10:amd64 (5.10.1-17squeeze3, 5.10.1-17squeeze4)
End-Date: 2012-12-13 12:14:02

It seems OMV goes out if it's way to allow unauthenticated packages. Isn't that a security risk?

ryecoaaron · 13. Dezember 2012

Volker can speak better of this but I don't think those packages are unauthenticated. The flag is there but I think it is for the OMV packages which probably don't have a signed repository. I see very minimal security risk if you only use the OMV provided packages.

D43aZ · 13. Dezember 2012

Zitat von "ryecoaaron"

Volker can speak better of this but I don't think those packages are unauthenticated. The flag is there but I think it is for the OMV packages which probably don't have a signed repository. I see very minimal security risk if you only use the OMV provided packages.

The message was shown in the "update manager" via the web interface - I unfortunately can't get that message back. I believe the packages from OMV are signed, but can't remember at this time how to verify them.

Unauthenticated packages can be a big risk - what if the server's Debian package mirror is compromised? Package signing ensures that the packages a mirror (or even the main repository) delivers are the intended ones from the team.

ryecoaaron · 14. Dezember 2012

I understand there is a risk. Source code could be compromised and a signed package created as well. Only the OMV packages come from non-Debian servers. The Debian packages should all be signed. Not sure what other packages aren't if the OMV packages are signed. I guess it is a risk you have to take if you want to use OMV.

D43aZ · 14. Dezember 2012

Zitat von "ryecoaaron"

I understand there is a risk. Source code could be compromised and a signed package created as well. Only the OMV packages come from non-Debian servers. The Debian packages should all be signed. Not sure what other packages aren't if the OMV packages are signed. I guess it is a risk you have to take if you want to use OMV.

Yep - It's just a suggestion that it should be changed for the security of the project's users. Source code could indeed have a back door put through it; but with today's version control and what not it's far less likely. Signing something with the team's signing key is far harder than compromising a random mirror server out there

ryecoaaron · 14. Dezember 2012

Well, I guess we would need to hear from Volker on why it is that way.

ryecoaaron · 14. Dezember 2012

I just updated one system from the web interface. All perl packages from Debian's servers. It said the packages could not be authenticated. I updated another system from the command line. Same four perl packages and I didn't get the authentication message. Maybe the web interface can easily be changed to authenticate the packages just by changing the update command???

votdev · 31. Juli 2013

Problem still exists, but i did not know how to fix it nor where the problem comes from. The keys are available, the Release.gpg file is downloaded and in /var/lib/apt/lists.

Code

# apt-get update
Hit http://packages.openmediavault.org sardaukar Release.gpg                       
Hit http://packages.openmediavault.org sardaukar Release
...
Hit http://ftp.debian.org squeeze Release.gpg   
...

Code

# export LANG=C; apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/F42584E6 2008-04-06 [expired: 2012-05-15]
uid                  Lenny Stable Release Key <debian-release@lists.debian.org>


pub   4096R/55BE302B 2009-01-27 [expired: 2012-12-31]
uid                  Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>


pub   2048R/6D849617 2009-01-24 [expired: 2013-01-23]
uid                  Debian-Volatile Archive Automatic Signing Key (5.0/lenny)


pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>


pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>


pub   1024R/3FDC40B9 2011-10-07
uid                  live-build local packages key <live-build-local-key@invalid>
sub   1024g/CD8BA848 2011-10-07


pub   1024D/2EF35D13 2010-03-14
uid                  OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>
sub   2048g/48270162 2010-03-14


pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>


pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>

Alles anzeigen

Keyring packages are installed:

Code

# dpkg -l | grep keyring
ii  debian-archive-keyring              2010.08.28+squeeze1          GnuPG archive keys of the Debian archive
ii  openmediavault-keyring              0.2                          GnuPG archive keys of the OpenMediaVault archive

The files:

Code

# ls -alh /usr/share/keyrings/
total 40K
drwxr-xr-x  2 root root 4.0K Jan 25  2013 .
drwxr-xr-x 84 root root 4.0K May  5  2012 ..
-rw-r--r--  1 root root  17K Jul 21  2012 debian-archive-keyring.gpg
-rw-r--r--  1 root root 7.4K Jul 21  2012 debian-archive-removed-keys.gpg
-rw-r--r--  1 root root 1.8K Jan 25  2013 openmediavault-keyring.gpg

But the warning message 'WARNING: The following packages cannot be authenticated!' still occurs. Does anyone have an idea where to start searching?

The strange think is that the problem also affects packages coming from Debian, thus it seems not to be a problem of the OMV package repository in general.

davidh2k · 31. Juli 2013

Volker, no offense, but did you miss to sign the latest packages for .4 (and .5)?

I saw it the first time on the latest update so I thought you forgot to sign it. I can not tell that i ever saw it on packages from the debian repository.

Greetings
David

votdev · 1. August 2013

The packages should be signed automatically by reprepro which is used to create the package repository. As already mentioned, packages coming from the official Debian repository are also declared as not authenticated, thus i assume the problem does not come from the OMV package repository. As you can see, the Debian keys are also installed on the system.

ryecoaaron · 1. August 2013

When I install the clamav package from the web interface, I get the warnings but not from the command line using apt-get. Is it the --allow-unauthenticated flag?

votdev · 1. August 2013

Zitat von "ryecoaaron"

When I install the clamav package from the web interface, I get the warnings but not from the command line using apt-get. Is it the --allow-unauthenticated flag?

It seems the problem only occurs when packages are updated. When installing new packages the warning message id not appear. The --allow-unathenticated option only tells APT to install not authenticated packages:

Code

--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.

votdev · 1. August 2013

I found this bugreport which sounds nearly equal. It seems that apt-get displays the warning even if the packages are signed and the validation is correct when the command line option --allow-unauthenticated is set. See http://lists.debian.org/deity/2011/03/msg00049.html

ryecoaaron · 1. August 2013

I just verified that on a fresh install. When I did apt-get dist-upgrade, I didn't get the warning. When I did apt-get --allow-unauthenticated dist-upgrade, I did get the warning.

davidh2k · 1. August 2013

I quickly checked on my Wheezy Server:

Code

root@srv001 ~ # uname -a
Linux srv001.***** 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
root@srv001 ~ # cat /proc/version
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.46-1


root@srv001 ~ # apt-get --allow-unauthenticated upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  xvfb
The following packages will be upgraded:
  bind9 bind9-host bind9utils gnupg gpgv libbind9-80 libdns88 libgcrypt11
  libgcrypt11-dev libisc84 libisccc80 libisccfg82 liblwres80
13 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 4,576 kB of archives.
After this operation, 378 kB of additional disk space will be used.
Do you want to continue [Y/n]?

Alles anzeigen

Seems to be that it is fixed under wheezy so maybe no need for fixing, if fixed with wheezy.

Greetings
David

Jetzt mitmachen!