Packages cannot be authenticated

    • Packages cannot be authenticated

      Hello,

      When using the update function I get "WARNING: The following packages cannot be authenticated!" followed by a list of packages from the Debian repository. The updater proceeds to instal these packages anyway - is there a way to ensure the packages are authenticated? More importantly, how can I fix the error in the mean time?

      Thanks in advance! :)

      The post was edited 1 time, last by D43aZ ().

    • Re: Packages cannot be authenticated

      Which packages could not be authenticated?
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      "ryecoaaron" wrote:

      Which packages could not be authenticated?



      Here's apt's history.log for today's unauthenticated upgrades (topic was posted in August):

      "/var/log/apt/history.log" wrote:

      Start-Date: 2012-12-13 12:12:44
      Commandline: apt-get --yes --force-yes --fix-missing --auto-remove --allow-unauthenticated --show-upgraded --option DPkg::Options::=--force-confnew install perl -modules perl libperl5.10 perl-base
      Upgrade: perl:amd64 (5.10.1-17squeeze3, 5.10.1-17squeeze4), perl-base:amd64 (5.1 0.1-17squeeze3, 5.10.1-17squeeze4), perl-modules:amd64 (5.10.1-17squeeze3, 5.10. 1-17squeeze4), libperl5.10:amd64 (5.10.1-17squeeze3, 5.10.1-17squeeze4)
      End-Date: 2012-12-13 12:14:02



      It seems OMV goes out if it's way to allow unauthenticated packages. Isn't that a security risk?
    • Re: Packages cannot be authenticated

      Volker can speak better of this but I don't think those packages are unauthenticated. The flag is there but I think it is for the OMV packages which probably don't have a signed repository. I see very minimal security risk if you only use the OMV provided packages.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      "ryecoaaron" wrote:

      Volker can speak better of this but I don't think those packages are unauthenticated. The flag is there but I think it is for the OMV packages which probably don't have a signed repository. I see very minimal security risk if you only use the OMV provided packages.


      The message was shown in the "update manager" via the web interface - I unfortunately can't get that message back. I believe the packages from OMV are signed, but can't remember at this time how to verify them.

      Unauthenticated packages can be a big risk - what if the server's Debian package mirror is compromised? Package signing ensures that the packages a mirror (or even the main repository) delivers are the intended ones from the team.
    • Re: Packages cannot be authenticated

      I understand there is a risk. Source code could be compromised and a signed package created as well. Only the OMV packages come from non-Debian servers. The Debian packages should all be signed. Not sure what other packages aren't if the OMV packages are signed. I guess it is a risk you have to take if you want to use OMV.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      "ryecoaaron" wrote:

      I understand there is a risk. Source code could be compromised and a signed package created as well. Only the OMV packages come from non-Debian servers. The Debian packages should all be signed. Not sure what other packages aren't if the OMV packages are signed. I guess it is a risk you have to take if you want to use OMV.


      Yep - It's just a suggestion that it should be changed for the security of the project's users. Source code could indeed have a back door put through it; but with today's version control and what not it's far less likely. Signing something with the team's signing key is far harder than compromising a random mirror server out there
    • Re: Packages cannot be authenticated

      Well, I guess we would need to hear from Volker on why it is that way.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      I just updated one system from the web interface. All perl packages from Debian's servers. It said the packages could not be authenticated. I updated another system from the command line. Same four perl packages and I didn't get the authentication message. Maybe the web interface can easily be changed to authenticate the packages just by changing the update command???
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      Problem still exists, but i did not know how to fix it nor where the problem comes from. The keys are available, the Release.gpg file is downloaded and in /var/lib/apt/lists.

      Source Code

      1. # apt-get update
      2. Hit http://packages.openmediavault.org sardaukar Release.gpg
      3. Hit http://packages.openmediavault.org sardaukar Release
      4. ...
      5. Hit http://ftp.debian.org squeeze Release.gpg
      6. ...


      Brainfuck Source Code

      1. # export LANG=C; apt-key list
      2. /etc/apt/trusted.gpg
      3. --------------------
      4. pub 1024D/F42584E6 2008-04-06 [expired: 2012-05-15]
      5. uid Lenny Stable Release Key <debian-release@lists.debian.org>
      6. pub 4096R/55BE302B 2009-01-27 [expired: 2012-12-31]
      7. uid Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>
      8. pub 2048R/6D849617 2009-01-24 [expired: 2013-01-23]
      9. uid Debian-Volatile Archive Automatic Signing Key (5.0/lenny)
      10. pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
      11. uid Squeeze Stable Release Key <debian-release@lists.debian.org>
      12. pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
      13. uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
      14. pub 1024R/3FDC40B9 2011-10-07
      15. uid live-build local packages key <live-build-local-key@invalid>
      16. sub 1024g/CD8BA848 2011-10-07
      17. pub 1024D/2EF35D13 2010-03-14
      18. uid OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>
      19. sub 2048g/48270162 2010-03-14
      20. pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
      21. uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
      22. pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
      23. uid Wheezy Stable Release Key <debian-release@lists.debian.org>
      Display All


      Keyring packages are installed:

      Source Code

      1. # dpkg -l | grep keyring
      2. ii debian-archive-keyring 2010.08.28+squeeze1 GnuPG archive keys of the Debian archive
      3. ii openmediavault-keyring 0.2 GnuPG archive keys of the OpenMediaVault archive


      The files:

      Source Code

      1. # ls -alh /usr/share/keyrings/
      2. total 40K
      3. drwxr-xr-x 2 root root 4.0K Jan 25 2013 .
      4. drwxr-xr-x 84 root root 4.0K May 5 2012 ..
      5. -rw-r--r-- 1 root root 17K Jul 21 2012 debian-archive-keyring.gpg
      6. -rw-r--r-- 1 root root 7.4K Jul 21 2012 debian-archive-removed-keys.gpg
      7. -rw-r--r-- 1 root root 1.8K Jan 25 2013 openmediavault-keyring.gpg


      But the warning message 'WARNING: The following packages cannot be authenticated!' still occurs. Does anyone have an idea where to start searching?

      The strange think is that the problem also affects packages coming from Debian, thus it seems not to be a problem of the OMV package repository in general.
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit
    • Re: Packages cannot be authenticated

      Volker, no offense, but did you miss to sign the latest packages for .4 (and .5)?

      I saw it the first time on the latest update so I thought you forgot to sign it. I can not tell that i ever saw it on packages from the debian repository.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • Re: Packages cannot be authenticated

      The packages should be signed automatically by reprepro which is used to create the package repository. As already mentioned, packages coming from the official Debian repository are also declared as not authenticated, thus i assume the problem does not come from the OMV package repository. As you can see, the Debian keys are also installed on the system.
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit
    • Re: Packages cannot be authenticated

      When I install the clamav package from the web interface, I get the warnings but not from the command line using apt-get. Is it the --allow-unauthenticated flag?
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      "ryecoaaron" wrote:

      When I install the clamav package from the web interface, I get the warnings but not from the command line using apt-get. Is it the --allow-unauthenticated flag?

      It seems the problem only occurs when packages are updated. When installing new packages the warning message id not appear. The --allow-unathenticated option only tells APT to install not authenticated packages:

      Source Code

      1. --allow-unauthenticated
      2. Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit
    • Re: Packages cannot be authenticated

      I found this bugreport which sounds nearly equal. It seems that apt-get displays the warning even if the packages are signed and the validation is correct when the command line option --allow-unauthenticated is set. See lists.debian.org/deity/2011/03/msg00049.html
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit
    • Re: Packages cannot be authenticated

      I just verified that on a fresh install. When I did apt-get dist-upgrade, I didn't get the warning. When I did apt-get --allow-unauthenticated dist-upgrade, I did get the warning.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Re: Packages cannot be authenticated

      I quickly checked on my Wheezy Server:

      Source Code

      1. root@srv001 ~ # uname -a
      2. Linux srv001.***** 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
      3. root@srv001 ~ # cat /proc/version
      4. Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.46-1
      5. root@srv001 ~ # apt-get --allow-unauthenticated upgrade
      6. Reading package lists... Done
      7. Building dependency tree
      8. Reading state information... Done
      9. The following packages have been kept back:
      10. xvfb
      11. The following packages will be upgraded:
      12. bind9 bind9-host bind9utils gnupg gpgv libbind9-80 libdns88 libgcrypt11
      13. libgcrypt11-dev libisc84 libisccc80 libisccfg82 liblwres80
      14. 13 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
      15. Need to get 4,576 kB of archives.
      16. After this operation, 378 kB of additional disk space will be used.
      17. Do you want to continue [Y/n]?
      Display All


      Seems to be that it is fixed under wheezy so maybe no need for fixing, if fixed with wheezy.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.