New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#1766 - opkg fails signature check on already downloaded and verified package lists #6874
Comments
wenzhuoz: Still reproducible in 18.06.1. Other users are experiencing the problem too. [[https://forum.openwrt.org/t/help-with-opkg-install-pkg-failed-to-verify-the-signature-of-18-06-0-x86-64/19080|External Link]] Steps to create OpenWrt VM:
Adding a working http_proxy option to /etc/opkg.conf is able to work around the problem, e.g. |
jow-: Something is intercepting HTTP and altering contents in your case, this is nothing we can solve on the OpenWrt end. The fact that using an HTTP proxy solves the problem is a strong indicator that your ISP or uplink provider is modifying the HTTP responses in-flight. Either switch to another upstream provider or use a proxy, a VPN or consider installing ustream-ssl + certificates and reconfigure your opkg repositories to use https instead of http. |
wenzhuoz: But the package lists downloaded by opkg are actually OK. I verified them both manually and by the opkg-key utility. |
wenzhuoz:
|
jow-: Likely a transparent proxy is decompressing and re-compressing the lists, causing them to have a different message digest. |
wenzhuoz: It’s really not the case. Opkg successful verified the lists on the first run, and I manually verified that they haven’t been tempered with. |
wenzhuoz: Reason 3: |
wenzhuoz: Attaching transcript captured from a fresh new VM as evidence. |
jow-: Still unable to reproduce this. Maybe check the sha256sum of the list files before / after the incident. Also you transcript shows no second update, the lists are broken after the opkg upgrade call already. If the opkg upgrade reliably breaks it, then consider running the upgrade command under strace to see what is happening. |
wenzhuoz: Opkg can successfully verify the package lists on the first run, and I have verified the package lists both by comparing them with manually downloaded versions (downloaded through VPN/https) and by verifying the gpg signatures of the gunzip'ed list files. |
jow-: Opkg does not use gpg to verify the lists, it uses ''usign'' through ''opkg-key''. |
wenzhuoz: I know. I have used opkg-key to verify the lists as well. Uploading strace log shortly. |
wenzhuoz:
|
jow-: Please repeat with ''strace -f -o output.log opkg update'' to capture child processes as well. |
wenzhuoz: Attaching strace output of
|
jow-: However, it seems here lies your problem:
fork() = -1 ENOMEM (Out of memory)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
writev(1, [{iov_base="", iov_len=0}, {iov_base="Signature check failed.\n", iov_len=24}], 2) = 24
The opkg process runs out of memory when attempting to fork/exec the ''opkg-key'' command. Note that the lists stored in ''/tmp/opkg-lists/'' reside on tmpfs, so they'll consume RAM. Means a subsequent ''opkg update'' run will have fewer memory available. Consider increasing the memory of your VM. |
wenzhuoz:
ENOMEM (Out of memory)? Will try again with 128M. |
wenzhuoz:
|
wenzhuoz: Well, adding 2M to the VM |
wenzhuoz: It's weird that configuring a http_proxy in opkg.conf can work around the problem. |
wenzhuoz:
Supply the following if possible:
opkg fails signature check on already downloaded and verified package lists, which makes
opkg upgrade
impossible.The text was updated successfully, but these errors were encountered: