[SOLVED] Private apt repository started to fail with "provides only weak security information"

Berveglieri · 03-13-2023, 05:30 PM

Hello everyone,

I have created a private apt repository to host some packages but it keeps failing with the following message

The repository 'https://myrepo/packages stable InRelease' provides only weak security information.

But this is not true, I have signed my InRelease file with my gpg key and used SHA512.

My InRelease file content:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Origin: My Official MyRepo
Label: MyRepo
Suite: stable
Codename: stable
Version: 1.0
Architectures: arm64
Date: Mon, 13 Mar 2023 22:15:30 UTC
Components: main
Description: Myrepo official repository
MD5Sum:
f8ab4d4ccb2ea545450543fbcc47a8eb 1370 main/binary-arm64/Packages
969b1f067132522b3d2ac444292f9189 675 main/binary-arm64/Packages.gz

SHA1:
03b1c4c2ead70762e62048407b18e798486d809c 1370 main/binary-arm64/Packages
508b0e854b0101bbe15f979c40960b8ed39a2c8a 675 main/binary-arm64/Packages.gz

SHA256:
8665bb7908caf9babb27708d838ba94408ba2381dc775252a91dd0779fa3cd4d 1370 main/binary-arm64/Packages
e5c0c9da97519e8b192af00a4ffc3b0c7a76b6a9a126b608e42ade0ab1a3eafa 675 main/binary-arm64/Packages.gz

-----BEGIN PGP SIGNATURE-----

wsFzBAEBCgAnBQJkD6CCCZClmk6HjLU2gBYhBIzBPRgKIUmOamTeuKWaToeMtTaA
AACnQw/9E7KK8LkRoL9RiRRxzecAaOE9RvvzA5dHcsxbvj+GLwRJ18/2R9iiOsTK
hWC7x4iKzppAkCqtIPkbBJZ6ESBStGuFJJ2NcUgcKKfLoaNP+hJSbBD231vuDP7T
1nzZRB+TWRZ3mVP1IzX74cwIrn8U+SJK2zeTZtC9wVQmrYPVwGiOVmKdX3/Y5Jq2
EGemMyyWU42GpezC0t59DCiDMdRnaPLmkLu2hxZtUTz/NWY1E2CVa3zTBqZnjwdQ
FtPhzy5Vby60rG3IkQSjOU4TK/eMfo8toP5TbDd1DRvMtYjFclsr8fJC+BslMKzb
5H9D147VmM8LkZzxH2dHhO7mZtcwUtEftGP88PbPVUQaMhXWznPti4AJF6gJGapn
8cWbGeSz77jO7wlcgRYfGmMT0Pkffz19+42bAqQVEgEDg5xDQoNB+2zrESZRQA7u
7geq02O9y06gXoGKs2f5oYXqebFYnVriPbyidvmxJspP7l3vPEkOcVPq6xSeKUmM
LYmj3EvOQUgeCgsJp5jv00hD5JC+fxRf/O1RprMtfXUih2P/kRgAl7Zf7bXM1nsF
xp6KT9RA46+SDOm6XO0BnJ6rfXOEnk5FeQ8/XGEEXUw+hpck0z/BuhL30qryzzbC
XyY+32QRkRX42rO9SjIWBsnR3EgqQET7e0G8OnmqWaPw0paBypY=
=o5Cd
-----END PGP SIGNATURE-----

I have no idea why apt is complaining about this, any idea what could be the issue?

I have the following files

InRelease
Release
Release.gpg

My release file content:

Origin: My Official MyRepo
Label: MyRepo
Suite: stable
Codename: stable
Version: 1.0
Architectures: arm64
Date: Mon, 13 Mar 2023 22:15:30 UTC
Components: main
Description: Myrepo official repository
MD5Sum:
f8ab4d4ccb2ea545450543fbcc47a8eb 1370 main/binary-arm64/Packages
969b1f067132522b3d2ac444292f9189 675 main/binary-arm64/Packages.gz

SHA1:
03b1c4c2ead70762e62048407b18e798486d809c 1370 main/binary-arm64/Packages
508b0e854b0101bbe15f979c40960b8ed39a2c8a 675 main/binary-arm64/Packages.gz

SHA256:
8665bb7908caf9babb27708d838ba94408ba2381dc775252a91dd0779fa3cd4d 1370 main/binary-arm64/Packages
e5c0c9da97519e8b192af00a4ffc3b0c7a76b6a9a126b608e42ade0ab1a3eafa 675 main/binary-arm64/Packages.gz

Thank you

evo2 · 03-13-2023, 05:54 PM

Hi,

perhaps this is because the Release file doesn't contain hashes for Sources or Contents files. What tools are you using to create/populate this repo?

Evo2.

Berveglieri · 03-13-2023, 06:04 PM

Quote:

Originally Posted by evo2

Hi,

perhaps this is because the Release file doesn't contain hashes for Sources or Contents files. What tools are you using to create/populate this repo?

Evo2.

Is this necessary? saw some tutorials where it wasn't mentioned.
The whole repository is created through a Golang application that I have developed.
But the whole concept is the same as the one described in the documentation, to sign the Release file I use the package "github.com/ProtonMail/go-crypto/openpgp".

This is being really hard to understand because we can clearly see the gpg key signature in the file.

evo2 · 03-13-2023, 06:14 PM

Hi,

Quote:

Originally Posted by Berveglieri

Is this necessary? saw some tutorials where it wasn't mentioned.

Hmm, what tutorials?

Quote:

Originally Posted by Berveglieri

The whole repository is created through a Golang application that I have developed.
But the whole concept is the same as the one described in the documentation, to sign the Release file I use the package "github.com/ProtonMail/go-crypto/openpgp".

There are many already existing tools to create repos. Not sure why you rolled your own.
I suggest you have a look at https://wiki.debian.org/DebianRepository/Setup
I use mini-dinstall with a setup inspired by https://upsilon.cc/~zack/blog/posts/....o_using_dput/

Quote:

Originally Posted by Berveglieri

This is being really hard to understand because we can clearly see the gpg key signature in the file.

Right but you've only signed the Packages file not the other files in the repo.

Evo2.

Berveglieri · 03-13-2023, 07:58 PM

I was able to identify the issue.
The Release file had tabulation with new lines between the hashes like this:

MD5SUM:
72676343453453 1371 main/binary-arm64/Packages

SHA1:
....

SHA256:
...

I have checked the apt implementation and they do not have a condition for tabulation with new line (\t\n) and that's actually my case when I generate the Release file.
https://salsa.debian.org/apt-team/ap...aindex.cc#L674
So that's why apt was failing to validate it, after removing the blank lines it worked because now it makes part of a condition that exists so apt was able to validate my release file.
I hope it helps someone.