[cloud-archive] GPG signature invalid: BADSIG
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
IBM Screen Team |
Bug Description
Summary
=======
UCA returns GPG error (BADSIG) on minute 50-59 (fifity-something), so it fails to install "unauthenticated" packages.
There might be a cron job running on UCA repo within 50-59 min of each hour? Or perhaps a maintenance script that is causing GPG keys to be invalid during that short time ?
This is OK when running manually, so you can retry minutes later and it works. However, It impacts OpenStack CI, which runs 24x7 per-patch basis jobs, in an automated and atomically way.
Note: We observed that this happens always in the minute 50-59, and has not happened in a minute out of this range (0-49).
Note2: This could be reproduced out of our labs (At Unicamp's Mini cloud for example), in a totally different network.
Note3: Allowing unauthenticated packages is not desired.
Arch=ppc64le
Ubuntu=Xenial
UCA=Ocata
Steps to reproduce
==================
- On a ppc64le machine (Power8), running xenial
- at min 50-59 (fifty-something), add UCA repo (Ubuntu Cloud Archive)
$ sudo add-apt-repository -y cloud-archive:ocata
- Update apt repos
$ sudo apt-get update
- GPG error (BADSIG) is seen
GPG error: http://
- install openvswitch-switch
$ sudo apt-get install openvswitch-switch
E: There were unauthenticated packages and -y was used without --allow-
Output
======
2017-05-25 16:50:47.324 | ++ functions-
2017-05-25 16:50:47.551 | Ign:1 http://
2017-05-25 16:50:47.561 | Hit:2 http://
2017-05-25 16:50:47.639 | Get:3 http://
2017-05-25 16:50:47.643 | Get:4 http://
2017-05-25 16:50:47.652 | Hit:5 http://
2017-05-25 16:50:47.742 | Hit:6 http://
2017-05-25 16:50:47.824 | Ign:4 http://
2017-05-25 16:50:47.835 | Hit:7 http://
2017-05-25 16:50:47.916 | Get:8 http://
2017-05-25 16:50:47.990 | Fetched 154 kB in 0s (240 kB/s)
2017-05-25 16:50:48.647 | Reading package lists...
2017-05-25 16:50:48.676 | W: GPG error: http://
2017-05-25 16:50:48.676 | W: The repository 'http://
...
2017-05-25 16:51:50.654 | + functions-
2017-05-25 16:51:50.672 | + functions-
2017-05-25 16:51:50.709 | Reading package lists...
2017-05-25 16:51:50.834 | Building dependency tree...
2017-05-25 16:51:50.835 | Reading state information...
2017-05-25 16:51:50.934 | fakeroot is already the newest version (1.20.2-1ubuntu1).
2017-05-25 16:51:50.934 | fakeroot set to manually installed.
2017-05-25 16:51:50.934 | make is already the newest version (4.1-6).
2017-05-25 16:51:50.934 | The following NEW packages will be installed:
2017-05-25 16:51:50.934 | openvswitch-common openvswitch-switch python-six
2017-05-25 16:51:50.946 | 0 upgraded, 3 newly installed, 0 to remove and 14 not upgraded.
2017-05-25 16:51:50.946 | Need to get 2047 kB of archives.
2017-05-25 16:51:50.946 | After this operation, 12.0 MB of additional disk space will be used.
2017-05-25 16:51:50.946 | WARNING: The following packages cannot be authenticated!
2017-05-25 16:51:50.946 | openvswitch-common openvswitch-switch
2017-05-25 16:51:50.947 | E: There were unauthenticated packages and -y was used without --allow-
Logs taken from:
http://
***This log expires
Changed in cloud-archive: | |
assignee: | nobody → IBM Screen Team (ibm-screen-team) |
This continues to happen in the same way as described above. This is a showstopper for CI jobs running in an automated way.
2017-06-19 13:53:22.419 | W: GPG error: http:// ubuntu- cloud.archive. canonical. com/ubuntu xenial- updates/ ocata Release: The following signatures were invalid: BADSIG 5EDB1B62EC4926EA Canonical Cloud Archive Signing Key <email address hidden> ubuntu- cloud.archive. canonical. com/ubuntu xenial- updates/ ocata Release' is not signed.
2017-06-19 13:53:22.420 | W: The repository 'http://