[SERVER-25421] Ubuntu Install - GPG error BADSIG D68FA50FEA312927 Created: 03/Aug/16  Updated: 06/Dec/22  Resolved: 05/Aug/16

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: 3.2.8
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Wan Bachtiar Assignee: Backlog - Build Team (Inactive)
Resolution: Done Votes: 5
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-25422 Debian Wheezy mongodb 3.2 repository ... Closed
is duplicated by SERVER-25433 GPG error - BADSIG D68FA50FEA312927 Closed
Related
related to SERVER-25424 Configuration for RedHat 5 In reposit... Closed
related to SERVER-22143 GPG error - BADSIG D68FA50FEA312927 Closed
Assigned Teams:
Build
Operating System: ALL
Steps To Reproduce:

Follow docs https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/

1) sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
2) 14.04: echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
3) sudo apt-get update

Participants:

 Description   

The signing key of the ubuntu repo is invalid.

And apt-get update returns in 16.04:

W: GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release: The following signatures were invalid: BADSIG D68FA50FEA312927 MongoDB 3.2 Release Signing Key <packaging@mongodb.com>
W: The repository 'http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

In 14.04:

 W: GPG error: http://repo.mongodb.org trusty/mongodb-org/3.2 Release: The following signatures were invalid: BADSIG D68FA50FEA312927 MongoDB 3.2 Release Signing Key <packaging@mongodb.com>



 Comments   
Comment by Ramon Fernandez Marina [ 05/Aug/16 ]

The "weak digest" message is not related to the problem described in this ticket or the issue that caused, so I'm closing this ticket again.

If I understand correctly, starting with OpenSSH 7.0 all things SHA1 are considered weak and either disabled or triggering warnings. Please open a separate ticket for further investigation if this is an issue for you.

Thanks,
Ramón.

Comment by David Cullen [X] [ 03/Aug/16 ]

I can confirm that on Ubuntu 16.04 apt-get update prints this warning:

W: http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.2/Release.gpg: Signature by key 42F3E95A2C4F08279C4960ADD68FA50FEA312927 uses weak digest algorithm (SHA1)

Comment by Wan Bachtiar [ 03/Aug/16 ]

I can confirm that I can download and install MongoDB 3.2.8 from Ubuntu 14.04 and 16.04.
Although, in Ubuntu 16.04 apt-get update is printing out a warning about a the key:

W: http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.2/Release.gpg: Signature by key 42F3E95A2C4F08279C4960ADD68FA50FEA312927 uses weak digest algorithm (SHA1)

Ubuntu 14.04 does not show this warning message.

Comment by Ramon Fernandez Marina [ 03/Aug/16 ]

The changes in SERVER-25424 addressed the cause of this problem, so I'm going to resolve this ticket.

The repos were fixed earlier today and should be correct and complete – if anyone has any issues please comment here and we'll reopen this ticket to investigate.

Thanks everyone for their patience.
Ramón.

Comment by Ramon Fernandez Marina [ 03/Aug/16 ]

We're currently experiencing problems with a new publishing system; these problems are being investigated at high priority.

The issues also affect RedHat repositories as described in SERVER-25424. Please continue to watch this ticket and SERVER-25424 for updates.

Apologies for the inconvenience.

Thanks,
Ramón.

Comment by David Cullen [X] [ 03/Aug/16 ]

I can confirm that this is still a problem on Ubuntu 16.04:

W: GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release: The following signatures were invalid: BADSIG D68FA50FEA312927 MongoDB 3.2 Release Signing Key <packaging@mongodb.com>
W: The repository 'http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Is there an ETA for when this will be fixed? Also, why does this keep happening?

Comment by Matthieu Rigal [ 03/Aug/16 ]

And there are other problems with the RHEL repos also!!!

Generated at Thu Feb 08 04:09:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.