Package: apt Version: 0.8.10.3+squeeze1 Severity: normal
Hello, my new repository served over HTTPS with Lighttpd ocassionally causes the following errors on apt-get update, when the Release file changes. W: Bizarre Error - File size is not what the server reported 9106 6071 W: GPG error: https://deb.domain.com squeeze Release: The following signatures were invalid: BADSIG ABC11270D6652B36 Domain Inc. (packages) <d...@deb.domain.com> At first I believed it to be a problem when a 304 is returned for Release, so I have ensured Last-Modified is unset and Cache-Control forces no caching, as well as using the following on the APT side Acquire::https::No-Cache "true"; Acquire::https::Max-Age "0"; Other bug reports I found indicated this may be the cause. However after 2 days problem was back, so I kept debugging and found hope in the report #646381 which indicated APT sends a mailformed header including an erroneous \r\n. Since a fix entered experimental only I patched https.cc and rebuilt apt-transport-https: // // if we have the file send an if-range query with a range header // if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0) // { // char Buf[1000]; // sprintf(Buf,"Range: bytes=%li-\r\nIf-Range: %s\r\n", // (long)SBuf.st_size - 1, // TimeRFC1123(SBuf.st_mtime).c_str()); // headers = curl_slist_append(headers, Buf); // } // // if we have the file send an if-range query with a range header if (stat(Itm->DestFile.c_str(),&SBuf) >= 0 && SBuf.st_size > 0) { char Buf[1000]; sprintf(Buf, "Range: bytes=%li-", (long) SBuf.st_size - 1); headers = curl_slist_append(headers, Buf); sprintf(Buf, "If-Range: %s", TimeRFC1123(SBuf.st_mtime).c_str()); headers = curl_slist_append(headers, Buf); } But my issue repeats, I'm out of ideas, and my associates don't know weather to trust my repository or not. Attached to the e-mail you will find output of: apt-get -o Debug::Acquire::https=true -o Debug::Acquire::gpgv=true -o Debug::pkgAcquire::Auth=true update ...including all headers sent and received on Release GET. Here are the relevant contents of /var/lib/apt/lists while the issue is repeating: ls -al /var/lib/apt/lists/ -rw-r--r-- 1 root root 18868 Apr 5 15:51 deb.domain.com_dists_squeeze_main_binary-amd64_Packages -rw-r--r-- 1 root root 14667 Apr 5 15:51 deb.domain.com_dists_squeeze_main_source_Sources -rw-r--r-- 1 root root 3036 Apr 5 15:51 deb.domain.com_dists_squeeze_Release -rw-r--r-- 1 root root 835 Apr 5 15:51 deb.domain.com_dists_squeeze_Release.gpg ls -al /var/lib/apt/lists/partial/ -rw-r--r-- 1 root root 0 Apr 5 15:38 deb.domain.com_dists_squeeze_main_i18n_Translation-en -rw-r--r-- 1 root root 0 Apr 5 15:38 deb.domain.com_dists_squeeze_main_i18n_Translation-en%5fUS -rw-r--r-- 1 root root 36425 Apr 5 17:28 deb.domain.com_dists_squeeze_Release -rw-r--r-- 1 root root 835 Apr 5 17:28 deb.domain.com_dists_squeeze_Release.gpg These servers are up to date Debian Squeeze 6.0.4. Thank you.
* About to connect() to deb.domain.com port 443 (#0) * Trying 111.111.111.111... * connected * Connected to deb.domain.com (111.111.111.111) port 443 (#0) * found 141 certificates in /etc/ssl/certs/ca-certificates.crt * SSL re-using session ID * server certificate verification OK * common name: *.domain.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: serialNumber=ad6c57sfKqXkXIhW0z7vi8OkT/Z62ORi,C=US,ST=NewYork,L=NewYork,O=Domain Inc\, Inc.,OU=SSL Services,CN=*.domain.com * start date: Wed, 15 Feb 2012 15:54:10 GMT * expire date: Tue, 19 Mar 2013 00:17:25 GMT * issuer: C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA * compression: NULL * cipher: AES-128-CBC * MAC: SHA1 > GET /dists/squeeze/Release HTTP/1.1 Host: deb.domain.com Accept: */* Cache-Control: no-cache Pragma: no-cache Range: bytes=6074- If-Range: Thu, 05 Apr 2012 21:04:57 GMT < HTTP/1.1 200 OK < Last-Modified: < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Content-Type: application/octet-stream < Accept-Ranges: bytes < Content-Length: 3036 < Date: Thu, 05 Apr 2012 21:05:16 GMT < Server: Domain Inc. < Get:2 https://deb.domain.com squeeze Release [3,036 B] * Connection #0 to host deb.domain.com left intact Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release.gpg,/var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release) inside VerifyGetSigners gpgv path: /usr/bin/gpgv Keyring file: /etc/apt/trusted.gpg Keyring path: /etc/apt/trusted.gpg.d/ Preparing to exec: /usr/bin/gpgv /usr/bin/gpgv --ignore-time-conflict --status-fd 3 --keyring /etc/apt/trusted.gpg /var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release.gpg /var/lib/apt/lists/partial/deb.domain.com_dists_squeeze_Release Read: [GNUPG:] BADSIG ABC11270D6652B36 Domain Inc. (packages) <dom...@deb.domain.com> Got BADSIG! gpgv exited Err https://deb.domain.com squeeze Release Fetched 9,945 B in 2s (4,595 B/s) Reading package lists... W: Bizarre Error - File size is not what the server reported 9110 6075 W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.domain.com squeeze Release: The following signatures were invalid: BADSIG ABC11270D6652B36 Domain Inc. (packages) <dom...@deb.domain.com> W: Failed to fetch https://deb.domain.com/dists/squeeze/Release W: Some index files failed to download, they have been ignored, or old ones used instead.
