lildebi
lildebi copied to clipboard
guardianproject
Latest gpgv fails to verify
In attempting to build Lil'Debi for Ubuntu, I kept having issues with verification. I have verified that gpgv on my computer can verify the release sig given the appropriate keyring. Using the latest gpgv on 4.4.4 fails, but the old gpgv (non-static) using the same arguments does not fail.
In this example, /data/local/gpgv-new -v --keyring=/data/local/ubuntu-archive-keyring.gpg /data/local/release.gpg /data/local/release caused the issue. /data/local/gpgv-orig -v --keyring=/data/local/ubuntu-archive-keyring.gpg /data/local/release.gpg /data/local/release succeeded.
my included wget version did not work because he could not resolve the dns, maybe the signature checking also because he cannot resolve the dns? (Just a wild guess)
This bypasses the wget issue by already having the keyring, detached sig file, and file all on local storage.
gpgv does not do anything on the network at all, so DNS is irrelevant. Ubuntu is not really well supported by cdebootstrap or debootstrap since those are both Debian tools which Ubuntu has not really adopted. For supporting Ubuntu, I think a better approach is to skip cdebootstrap altogether and instead download and install the ubuntu-core tarball.
Then the GPG verification process will also be different. It'll be something like this (totally untested):
wget http://cdimage.ubuntu.com/ubuntu-core/releases/12.04/release/ubuntu-core-12.04.5-core-armhf.tar.gz
wget http://cdimage.ubuntu.com/ubuntu-core/releases/12.04/release/SHA256SUMS.gpg
wget http://cdimage.ubuntu.com/ubuntu-core/releases/12.04/release/SHA256SUMS
gpgv SHA256SUMS.gpg SHA256SUMS
grep ubuntu-core-12.04.5-core-armhf.tar.gz SHA256SUMS > ubuntu-core-12.04.5-core-armhf.tar.gz.sha256
sha256sum -c ubuntu-core-12.04.5-core-armhf.tar.gz.sha256
@eighthave Sorry I totally skipped the Ubuntu part. Im running the installer as it is (I want to install debian) but I also get gpgv errors:
+ mkdir /data/debian/system
+ keyring_name=debian-archive-keyring.gpg
+ keyring=/data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg
+ test -f /data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg
+ echo Using keyring for validating packages: /data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg
Using keyring for validating packages: /data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg
run cdebootstrap in one stage
P: Retrieving Release
+ KEYRING=--keyring=/data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg
+ echo run cdebootstrap in one stage
+ /data/debian/usr/bin/cdebootstrap-static --verbose --foreign --flavour=minimal --include=locales --keyring=/data/data/info.guardianproject.lildebi/app_bin/debian-archive-keyring.gpg --configdir=/data/debian/usr/share/cdebootstrap-static --helperdir=/data/debian/usr/share/cdebootstrap-static --arch armel stable /data/debian http://mirrors.ece.ubc.ca/debian/
P: Retrieving Release.gpg
P: Validating Release
gpgv: Signature made Sat Jan 10 11:19:11 2015 GMT using RSA key ID 46925553
gpgv: Can't check signature: public key not found
gpgv: Signature made Sat Jan 10 11:27:35 2015 GMT using RSA key ID 65FFB764
gpgv: Can't check signature: public key not found
----------------------------------------
E: Couldn't validate Release!
+ exit
stop-debian.sh
Asking all processes to terminate...done
Killing remaining processes:
done
Checking for open files in Debian chroot...done
Unmounting everything...done
Debian chroot stopped and unmounted.
Is this on the same device as your other bug report? i.e.
Android 5.0.2 Cyanogenmod 12 on a HTC One S SELinux: Strict
Using the self-compiled gpgv fails when manually asked to verify the signatures. The gpgv2 included in recent gnupg-for-android builds also fails.