#StackBounty: #20.04 #docker #raspberrypi #gnupg #arm apt update throws signature error in Ubuntu 20.04 container on arm

Bounty: 50

I am trying to build Raspberry Pi docker images but I am always having the same error, similar to this one, this one and this one.

While running the command apt update as root in a arm32v7/ubuntu:20.04 (or just ubuntu:latest), I get the following output:

root@273d63597ce6:/# apt update
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [111 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [98.3 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [107 kB]
Err:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
  At least one invalid signature was encountered.
Err:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
  At least one invalid signature was encountered.
Err:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
  At least one invalid signature was encountered.
Err:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
  At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I have tried the suggested solutions of cleaning apt, cleaning docker and removing/recreating /var/lib/apt/lists without success. The SD card is 32G and the OS is a fresh install. df shows 26G free.

Some more information:

  • This is happening on a fresh install of 2020-05-27-raspios-buster-lite-armhf on a raspberry pi 4 B
  • The same error happens on another Raspberry Pi 4 B running HypriotOS
  • The same command in the same image works fine on a raspberry pi 3 B that has Arch linux installed
  • The error does not happen if I use an older version of ubuntu (ubuntu:18.04, 16.04, 14.04)


Get this bounty!!!

#StackBounty: #networking #20.04 #gnupg gpg2 not able to download keys "receive failed: try again later"

Bounty: 100

I’m attempting to add the keys for RVM, however, I am getting an error from gpg2.

$ gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: keyserver receive failed: Try again later

I’ve also tried a more verbose approach but I get the same error:

$ gpg2 -vvv --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: using character set 'utf-8'
gpg: keyserver receive failed: Try again later

Right now the only Google search for the exact error message I’m getting is from the Arch Linux support boards. Here’s the thread. It’s a little terse and I’m not quiet able to follow it, but the symlink mentioned at the end of the settings is in place.

/etc/resolv.conf shows this

nameserver 127.0.0.53
options edns0

Results of resolvectl query keys.gnupg.net

keys.gnupg.net: 209.244.105.201                -- link: enp37s0
                (hkps.pool.sks-keyservers.net)

-- Information acquired via protocol DNS in 478.3ms.
-- Data is authenticated: no

and resolvectl status says that my current DNS server is my router (Orbi model) 192.168.1.1. This is strange because when I load the Orbi app it says that the DNS servers are what I set them to which is 1.1.1.1 and 1.0.0.1 (unless Orbi proxies to them).

I’ve also tried some related Google searches and set my /root/.gnupg/dirmngr.conf and ~/.gnupg/dirmngr.conf (not sure if that one is required, but I thought it was worth a try) files to contain a one-line file that says standard-resolver and then killall dirmngr. This did not seem to fix the problem.


Get this bounty!!!

#StackBounty: #gnupg #pgp Why is it that pgp keyservers do not respond when I request keys?

Bounty: 100

I tried the Linux command line (bash 4.4.23 on Arch Linux kernel 4.18.16) with various key servers:

$ gpg -v --keyserver subkeys.pgp.net --recv-keys F434104235DA97EB
gpg: using character set 'utf-8'
gpg: keyserver receive failed: Server indicated a failure
$ gpg -v --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys F434104235DA97EB
gpg: using character set 'utf-8'
gpg: keyserver receive failed: Server indicated a failure
$ gpg --debug-level 9 --keyserver  hkp://keyserver.ubuntu.com:80 --recv-keys F434104235DA97EB
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/user/.gnupg
gpg: DBG: chan_3 <- # Config: /home/user/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.11 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.11
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkp://keyserver.ubuntu.com:80
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0xF434104235DA97EB
gpg: DBG: chan_3 <- ERR 167772379 Server indicated a failure <Dirmngr>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks
$ 

I tried the web interface of https://pgp.surfnet.nl/. It responds

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

I tried the web interface of https://pgp.mit.edu. It responds:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /pks/lookup.

Reason: Error reading from remote server

I tried the web interface at https://pgp.key-server.io Reply is:

Hint! Double-check if the keyserver is up and running at the expected address:port (127.0.0.1:11369).
cURL error 52: Empty reply from server
#0 /var/www/pgp.key-server.io/vendor/guzzlehttp/guzzle/src/RequestFsm.php(103): GuzzleHttpExceptionRequestException::wrapException(Object(GuzzleHttpMessageRequest), Object(GuzzleHttpRingExceptionConnectException))
#1 /var/www/pgp.key-server.io/vendor/guzzlehttp/guzzle/src/RequestFsm.php(132): GuzzleHttpRequestFsm->__invoke(Object(GuzzleHttpTransaction))
#2 /var/www/pgp.key-server.io/vendor/react/promise/src/FulfilledPromise.php(25): GuzzleHttpRequestFsm->GuzzleHttp{closure}(Array)
#3 /var/www/pgp.key-server.io/vendor/guzzlehttp/ringphp/src/Future/CompletedFutureValue.php(55): ReactPromiseFulfilledPromise->then(Object(Closure), NULL, NULL)
#4 /var/www/pgp.key-server.io/vendor/guzzlehttp/guzzle/src/Message/FutureResponse.php(43): GuzzleHttpRingFutureCompletedFutureValue->then(Object(Closure), NULL, NULL)
#5 /var/www/pgp.key-server.io/vendor/guzzlehttp/guzzle/src/RequestFsm.php(134): GuzzleHttpMessageFutureResponse::proxy(Object(GuzzleHttpRingFutureCompletedFutureArray), Object(Closure))
#6 /var/www/pgp.key-server.io/vendor/guzzlehttp/guzzle/src/Client.php(165): GuzzleHttpRequestFsm->__invoke(Object(GuzzleHttpTransaction))
#7 /var/www/pgp.key-server.io/vendor/jenssegers/proxy/src/Adapter/Guzzle/GuzzleAdapter.php(54): GuzzleHttpClient->send(Object(GuzzleHttpMessageRequest))
#8 /var/www/pgp.key-server.io/vendor/jenssegers/proxy/src/Proxy.php(80): ProxyAdapterGuzzleGuzzleAdapter->send(Object(SymfonyComponentHttpFoundationRequest), 'http://127.0.0....')
#9 /var/www/pgp.key-server.io/src/ctubio/HKPProxy/Keyserver/Router.php(46): ProxyProxy->to('http://127.0.0....')
#10 /var/www/pgp.key-server.io/src/ctubio/HKPProxy/Keyserver/Router.php(14): ctubioHKPProxyKeyserverRouter::getHKPResponse('/pks/lookup?sea...')
#11 /var/www/pgp.key-server.io/src/ctubio/HKPProxy/Keyserver.php(19): ctubioHKPProxyKeyserverRouter::getResponse()
#12 /var/www/pgp.key-server.io/pub/php-proxy-keyserver.php(14): ctubioHKPProxyKeyserver::getResponse()
#13 {main}

Various other key servers say “No results found” to any key I request.

  • What is going on? Is it a temporary problem? But why would all the key servers be offline at the same time?
  • Does it have anything to do with access to every key server being blocked by my connection (Then why can I reach the web interfaces that will then fail?)?
  • Is it that I am searching for invalid strings? I do not think so; I searched for a number of different ones, the one in the example here (F434104235DA97EB) should be the one that signed this package on github…
  • Is it that I am not connecting to the correct key servers?


Get this bounty!!!