Bad InRelease Signatures at https://packages.openziti.org/zitipax-openziti-deb-stable

Support General Questions
1

I’m encountering invalid signatures on JFrog 's InRelease files:

gpg -v --no-default-keyring --keyring /usr/share/keyrings/openziti.gpg --verify jammy/InRelease 
gpg: armor header: Hash: SHA256
gpg: armor header: Version: BCPG v1.68
gpg: original file name=''
gpg: Signature made Mon 10 Jul 2023 11:00:07 AM PDT
gpg:                using RSA key DE3623EF08C996E5
gpg: using pgp trust model
gpg: BAD signature from "OpenZiti Developers <developers@openziti.org>" [unknown]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072

On systems that prefer InRelease, apt update fails with error:

apt update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]      
Get:5 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease [4264 B]
Err:5 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE3623EF08C996E5
Reading package lists... Done
W: GPG error: https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE3623EF08C996E5
E: The repository 'https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I have verified that public key DE3623EF08C996E5 is stored on the keyring /usr/share/keyrings/openziti.gpg and usable. The Release files verify without incident:

gpg -v --no-default-keyring --keyring /usr/share/keyrings/openziti.gpg --verify jammy/Release.gpg jammy/Release
gpg: armor header: Version: BCPG v1.68
gpg: Signature made Mon 10 Jul 2023 11:00:08 AM PDT
gpg:                using RSA key DE3623EF08C996E5
gpg: using pgp trust model
gpg: Good signature from "OpenZiti Developers <developers@openziti.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 34CB CF18 427D 8814 B5BD  BB0D DE36 23EF 08C9 96E5
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072

I’ve experimented and verified other archive’s InRelease files using the above approach.

2

Hey @tomc, I’m having issues reproducing this. Can you share some detail about any relevant apt configuration or modifications?

edit: I tried running this in a fresh ubuntu:22.04 container from the instructions provided here: Linux | OpenZiti

In my case I ran:

echo ‘debconf debconf/frontend select Noninteractive’ | debconf-set-selections
apt-get update && apt-get install curl sudo gpg
curl -sSLf https://get.openziti.io/tun/scripts/install-ubuntu.bash | bash

I also tried running with some modifications to apt to attempt to force InRelease only, but I’m not 100% certain I’ve reproduced your enviornment in a meaningful way

3

I’ve determined the cause of the issue. A new security baseline is being applied that establishes umask 027. The issue arises as apt drops privileges, setresgid(-1, nogroup, -1) and setresuid(-1, _apt, -1), to perform several functions, including accessing /usr/share/keyrings/openziti.gpg. Since /usr/share/keyrings/openziti.gpg is owned root:root and has permissions 0640, open(/usr/share/keyrings/openziti.gpg) fails with error EPERM.

To address other users who may have a similar circumstance, should https://get.openziti.io/tun/scripts/install-ubuntu.bash explicitly set umask 022?

4

Thanks for letting us know! Tracking this issue in GitHub: apt doesn't have permission to read package signing pubkey · Issue #646 · openziti/ziti-doc · GitHub

5

Which OS caused this issue to manifest, @tomc? I’d like to make sure it’s solved on that OS by setting read mode for others on the signing pubkey file, e.g., chmod +r /usr/share/keyrings/openziti.gpg, as part of the install script.