Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22916

Artifactory fails verifying the signatures of signed repository files in /var/lib/apt/lists

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Deferred
    • Affects Version/s: 6.19.0, 7.6.0
    • Fix Version/s: None
    • Component/s: Debian
    • Labels:

      Description

      Artifactory fails verifying the signatures of signed repository files in /var/lib/apt/lists throws BAD signature error while testing. It is reproducible in 6.19 as well.The signature of the InRelease file is causing this BAD signature.

      Artifactory 6.19 introduced support for the InRelease metadata file for Debian repositories. This seems to be broken. https://github.com/AdoptOpenJDK/openjdk-installer/issues/235
      Same behavior tested on 7.6.

      apt-get update or apt-get install does not report any errors.

      Reproduction Steps

      1) wget -qO - RESTRICTED_URL1| sudo apt-key add -
      2) sudo add-apt-repository --yes RESTRICTED_URL2| bionic main
      3) sudo apt update
      4) apt-key adv --verify RESTRICTED_PATH

      Output

      Executing: /tmp/apt-key-gpghome.RIvVEJjtXN/gpg.1.sh --verify RESTRICTED_PATH
      gpg: Signature made Wed Jul 22 00:22:38 2020 UTC
      gpg: using RSA key RESTRICTED_RSA
      gpg: BAD signature from "saiun (df) <saiu@jfrog.com>" [unknown]

       

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              saiu Sai Undurthi
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: