bogus network proxies might cause: Clearsigned file isn't valid, got 'NODATA' (does the network require authentication?)

Bug #1206824 reported by Alexander Sack on 2013-07-31
56
This bug affects 9 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Low
Unassigned

Bug Description

On a hotel network I get:

sudo apt-get update
0% [Connecting to archive.ubuntu.com] [Connecting to ports.ubuntu.com] [Connecting to ppa.launchpad.net] [Connecting to archive.canonical.com]
0% [Connecting to archive.ubuntu.com] [Connecting to ports.ubuntu.com] [Connecting to ppa.launchpad.net] [Connecting to archive.canonical.com]
Get:1 http://archive.canonical.com saucy InRelease [75 B]
89% [1 InRelease gpgv 75 B] [Connecting to archive.ubuntu.com (91.189.91.14)] [Waiting for headers] [Waiting for headers]Splitting up /var/lib/apt/lists/partial/arIgn http://archive.canonical.com saucy InRelease
E: GPG error: http://archive.canonical.com saucy InRelease: Clearsigned file isn't valid, got 'NODATA' (does the network require authentication?)

and after removing all /var/lib/apt/lists forcefully, I get this variant:

Get:19 http://ports.ubuntu.com saucy/main armhf Packages [1,215 kB]
Get:20 http://archive.ubuntu.com saucy-updates Release [40.8 kB]
Get:21 http://archive.ubuntu.com saucy-security Release [40.8 kB]
Get:22 http://archive.ubuntu.com saucy/main Sources [1,004 kB]
Ign http://ppa.launchpad.net saucy/main Translation-en_US
Ign http://ppa.launchpad.net saucy/main Translation-en
Ign http://ppa.launchpad.net saucy/main Translation-en_US
Ign http://ppa.launchpad.net saucy/main Translation-en
Get:23 http://archive.canonical.com saucy InRelease [75 B]
66% [23 InRelease gpgv 75 B] [22 Sources 646 kB/1,004 kB 64%] [19 Packages 710 kB/1,215 kB 58%]Splitting up /var/lib/apt/lists/partial/archive.canonical.com_ubuntu_dists_saucy_InRelease into data and signIgn http://archive.canonical.com saucy InRelease
E: GPG error: http://archive.canonical.com saucy InRelease: Clearsigned file isn't valid, got 'NODATA' (does the network require authentication?)

Would be good to give better error messages that explain to folks that its likely that your network serves corrupted files (rather than ubuntu being broken). Might want to give folks hints that they could try to connect to a different wifi network etc.

Steve Langasek (vorlon) wrote :

This hotel network is particularly special; even after you authenticate to the web portal, it's blocking archive.canonical.com as "restricted" content. This contributes to the confusion, because most of the lists get downloaded without fine, then there's this cryptic message.

FWIW the actual contents of the partial InRelease file in this case are a one-line, malformed HTML file that does a meta refresh.

Changed in apt (Ubuntu):
status: New → Triaged
David Kalnischkies (donkult) wrote :

So, what do you suggest? The hint "does the network require authentication?" is already a wild guess as this can happen for temporary down servers (e.g. "Down for maintenance"), 'longtime down' servers (e.g. domain grabber got the domain), the network you are on requires you to authenticate (first time, again, after X minutes, for specific domains), the network has a pre-processing proxy to reduce traffic/enforce restrictions/parental control, the archive software really produced invalid files or you are under attack …

The sentence is easily 400 characters long and hasn't mentioned a single "solution" yet even though for all different things need (not) to be done.

If anyone can provide a better hint than the current which will fit on one line feel free tell us, but I don't expect that we can do anything reasonable to detect which one of the various possible problems that could be.

(It might first sound like we could detect "normal" vs. "restricted" archives as it seems to happen here, but APT really has no idea what the difference is, further more these could be on different mirrors, used via a proxy… so while this is "easy" (really?) to detect for a human, its close to impossible in code)

I have some hope for "511 Network Authentication Required" ( https://tools.ietf.org/html/rfc6585#section-6 ), but I haven't seen it implemented so far [APT has no specific support for it so far, but works as intended by default as any client should do].

Changed in apt (Ubuntu):
importance: Undecided → Low
jl451 (jl451) wrote :

can this message not stoped apt-get update ? I have many reps in sources.list, not only http://archive.getdeb.net

Get:2 http://archive.getdeb.net oneiric-getdeb InRelease [4555 B]
Ign http://ppa.launchpad.net saucy InRelease
Splitting up /var/lib/apt/lists/partial/archive.getdeb.net_ubuntu_dists_oneiric-getdeb_InRelease into data and signature failedIgn http://archive.getdeb.net oneiric-getdeb InRelease
E: GPG error: http://archive.getdeb.net oneiric-getdeb InRelease: Clearsigned file isn't valid, got 'NODATA' (does the network require authentication?)
Command exited with non-zero status 100

Michiel Blokzijl (code-p) wrote :

I just wanted to add a comment, for any others who come to this via Google.

I also hit this exact same error, but it turned out not to be caused directly by the network proxy. I had just run apt-add-repository, and that had failed to import the GPG key:

root@buildhost:/home/mblokzij/ws-qvpc# add-apt-repository ppa:x2go/stable
 Quick howto to turn your machine into an X2Go server:
...
gpg: keyring `/tmp/tmpf3fzey4y/secring.gpg' created
gpg: keyring `/tmp/tmpf3fzey4y/pubring.gpg' created
gpg: requesting key 0A53F9FD from hkp server keyserver.ubuntu.com
gpgkeys: key A7D8D681B1C07FE41499323D7CDE3A860A53F9FD can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Note the last line.

After manually importing the key, apt-get update ran fine. I used:

apt-key adv --recv-keys --keyserver keys.gnupg.net 0A53F9FD

I realise I used a different keyserver, but I copy/pasted the key id from the logs above.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers