Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg: BAD signature from "Commercial Haskell all-cabal-files ..." #2773

Closed
creichert opened this issue Nov 10, 2016 · 10 comments · Fixed by commercialhaskell/all-cabal-tool#3
Closed

Comments

@creichert
Copy link

creichert commented Nov 10, 2016

I'm getting gpg "Bad signature" errors on my local machine and on CI.

gpg: Signature made Thu 10 Nov 2016 03:41:42 PM CST using RSA key ID D6CF60FD
gpg: BAD signature from "Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>"
error: could not verify the tag 'current-hackage'

I'm not certain if this is something I'm doing wrong so i'll be happy to try out any suggestions.

Steps to reproduce

For example:

  1. relevant stack.yaml
$ cat stack.yaml
[...]
package-indices:
  - name: hackage
    download-prefix: https://s3.amazonaws.com/hackage.fpcomplete.com/package/
    git: https://github.com/commercialhaskell/all-cabal-hashes.git
    http: https://s3.amazonaws.com/hackage.fpcomplete.com/00-index.tar.gz
    gpg-verify: true
    require-hashes: true
  1. receive gpg key
$ gpg --recv-key --keyserver keyserver.ubuntu.com D6CF60FD
gpg: requesting key D6CF60FD from hkp server keyserver.ubuntu.com
gpg: key D6CF60FD: "Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ gpg --edit D6CF60FD
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/D6CF60FD  created: 2015-04-16  expires: never       usage: SC  
                     trust: marginal      validity: unknown
sub  2048R/4EB79513  created: 2015-04-16  expires: never       usage: E   
[ unknown] (1). Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>

gpg> trust
pub  2048R/D6CF60FD  created: 2015-04-16  expires: never       usage: SC  
                     trust: marginal      validity: unknown
sub  2048R/4EB79513  created: 2015-04-16  expires: never       usage: E   
[ unknown] (1). Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa2048/E40D74D6D6CF60FD
     created: 2015-04-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
sub  rsa2048/449FF4B24EB79513
     created: 2015-04-16  expires: never       usage: E   
[ultimate] (1). Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>

gpg> quit
  1. run stack update or stack install
$ stack update
Fetched package index.                                                                                    
Running /usr/bin/git --git-dir=.git tag -v current-hackage in directory /home/christopher/.stack/indices/hackage/git-update/all-cabal-hashes/ exited with ExitFailure 1

object 4023c9095acf550a30d7c24036ba337568372bb8
type commit
tag current-hackage
tagger all-cabal-tool <[email protected]> 1479942071 +0000

Update from Hackage at 2016-11-23T22:58:55Z

gpg: Signature made Wed 23 Nov 2016 05:01:11 PM CST
gpg:                using RSA key E40D74D6D6CF60FD
gpg: BAD signature from "Commercial Haskell all-cabal-files Travis job (Used exclusively on: https://github.com/commercialhaskell/all-cabal-files) <[email protected]>" [ultimate]

Signature verification failed. 
Please ensure you've set up your
GPG keychain to accept the D6CF60FD signing key.
For more information, see:
https://github.com/fpco/stackage-update#readme

Stack version

$ stack --version
Version 1.1.3, Git revision 7669717b38b6cb9d54bc839c5583819095de3cb8 x86_64 hpack-0.14.0

I've also tested w/ latest from git:

$ ~/.local/bin/stack --version
Version 1.2.1, Git revision 5985b11143a4d3fc57cda67a5d3e77bd15c2f74f x86_64 hpack-0.14.1
@creichert
Copy link
Author

Another interesting detail. If I set gpg-verify: false in my stack.yaml (but require-hashes is true), I get the following:

$ stack build --fast
Fetching package index ...remote: Counting objects: 232381, done.
remote: Compressing objects: 100% (187606/187606), done.
remote: Total 232381 (delta 61782), reused 184336 (delta 42409), pack-reused 0
Receiving objects: 100% (232381/232381), 54.98 MiB | 10.07 MiB/s, done.
Resolving deltas: 100% (61782/61782), completed with 1 local objects.
From https://github.com/commercialhaskell/all-cabal-hashes
 * [new tag]         current-hackage -> current-hackage
Fetched package index.    
Populating index cache ...Package index hackage is configured to require package hashes, but no hash is available for hermes-1.3.4.3

@mgsloan mgsloan added this to the Support milestone Nov 11, 2016
@mgsloan
Copy link
Contributor

mgsloan commented Nov 11, 2016

Pinging @dysinger , not sure if this is a code issue or documentation.

@creichert
Copy link
Author

It could be me, of course. To clarify, I've had the same GPG setup working on CI for a while using stack. I hit this error when I pinned extra-deps: ["cryptonite-0.20"]. I triple checked the all-cabal-hashes repo and everything seemed to be up-to-date.

@creichert
Copy link
Author

Is anyone else experiencing this issue? I'm still experiencing the same problem when I add cryptonite-0.20 to my extra-deps. This is a CI build that was otherwise working until adding that dependency.

@CodyReichert
Copy link

Anyone had an opportunity to check this out yet?

@creichert
Copy link
Author

I've managed to narrow this down to verifying the git tag:

$ cd  $HOME/.stack/indices/hackage/git-update/all-cabal-hashes/ && git --git-dir=.git tag -v current-hackage

@creichert
Copy link
Author

creichert commented Nov 24, 2016

Maybe the key used to sign the tag is incorrect?

elasticache1

NOTE that message may be misleading if the gpg key hasn't been uploaded to the repo's GitHub settings

@kadoban
Copy link
Collaborator

kadoban commented Nov 30, 2016

I'm getting this same issue, did someone sign something incorrectly, or is something else going on here? The signature sure seems to be invalid.

@snoyberg
Copy link
Contributor

snoyberg commented Dec 8, 2016

I can confirm that the signature is invalid. This appears to be a problem with the tag signing code in the commercialhaskell/all-cabal-tool repo.

@lehins
Copy link
Contributor

lehins commented Dec 8, 2016

Tag signing in all-cabal-tool was fixed, so this tag signature validation error should now be gone.
On that note I would also like to comment on the warning mentioned by @creichert :

Populating index cache ...Package index hackage is configured to require package hashes, but no hash is available for hermes-1.3.4.3

That problem is actually related to hackage itself. Package version hermes-1.3.4.3 exists on hackage, so hermes.cabal file is available for that version, but the actual source code distribution was removed, hence hash values of the package cannot be computed: commercialhaskell/all-cabal-hashes#9 Even hackage blows up with HTTP 500 error on that package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants