Debian Bug report logs - #486408
cron.daily: The update downloaded successfully, but the GPG signature verification failed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Francois Marier <francois@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Mon, 16 Jun 2008 09:54:43 +1200

Package: spamassassin
Version: 3.2.4-2
Severity: normal

I've been getting this cron error for the past 3 days:

  /etc/cron.daily/spamassassin:
  error: GPG validation failed!
  The update downloaded successfully, but the GPG signature verification
  failed.
  channel: GPG validation failed, channel failed

I'm not sure whether there's anything wrong with the Debian package or
whether it's a problem on some upstream SpamAssassin update server...

Francois

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Shell: /bin/sh linked to /bin/dash

Versions of packages spamassassin depends on:
ii  libdigest-sha1-perl           2.11-2+b1  NIST SHA-1 message digest algorith
ii  libhtml-parser-perl           3.56-1+b1  A collection of modules that parse
ii  libnet-dns-perl               0.63-1+b1  Perform DNS queries from a Perl sc
ii  libsocket6-perl               0.20-1     Perl extensions for IPv6
ii  libsys-hostname-long-perl     1.4-2      Figure out the long (fully-qualifi
ii  libwww-perl                   5.812-1    WWW client/server library for Perl
ii  perl                          5.10.0-10  Larry Wall's Practical Extraction 
ii  perl-modules [libarchive-tar- 5.10.0-10  Core Perl modules

Versions of packages spamassassin recommends:
ii  gcc                           4:4.3.0-8  The GNU C compiler
ii  gnupg                         1.4.9-2    GNU privacy guard - a free PGP rep
ii  libc6-dev                     2.7-12     GNU C Library: Development Librari
ii  libmail-spf-perl              2.005-1    Perl implementation of Sender Poli
ii  libsys-syslog-perl            0.24-1+b1  Perl interface to the UNIX syslog(
ii  make                          3.81-5     The GNU version of the "make" util
ii  re2c                          0.13.3-1   tool for generating fast C-based r
ii  spamc                         3.2.4-2    Client for SpamAssassin spam filte

-- no debconf information

Message #10 received at 486408@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Francois Marier <francois@debian.org>, 486408@bugs.debian.org

Subject: Re: Bug#486408: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Sun, 15 Jun 2008 23:44:01 +0100

Hi,

On Mon, 2008-06-16 at 09:54 +1200, Francois Marier wrote:
> I've been getting this cron error for the past 3 days:
> 
>   /etc/cron.daily/spamassassin:
>   error: GPG validation failed!
>   The update downloaded successfully, but the GPG signature verification
>   failed.
>   channel: GPG validation failed, channel failed
> 
> I'm not sure whether there's anything wrong with the Debian package or
> whether it's a problem on some upstream SpamAssassin update server...

Neither, apparently. The recently released 3.2.5 includes this change:

bug 5775: newer gpg versions require keys to be cross-certified
(backsig).  Did a cross-verify on our sa-update public key and
re-exported.  (If you are already seeing "GPG validation failed" errors
from sa-update, see
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .)

Regards,

Adam

Message #15 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 486408@bugs.debian.org

Subject: Re: Bug#486408: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Mon, 16 Jun 2008 12:32:11 -0400

[Message part 1 (text/plain, inline)]

On Sun, Jun 15, 2008 at 11:44:01PM +0100, Adam D. Barratt wrote:
> > I've been getting this cron error for the past 3 days:
> > 
> >   /etc/cron.daily/spamassassin:
> >   error: GPG validation failed!
> >   The update downloaded successfully, but the GPG signature verification
> >   failed.
> >   channel: GPG validation failed, channel failed
> > 
> > I'm not sure whether there's anything wrong with the Debian package or
> > whether it's a problem on some upstream SpamAssassin update server...
> 
> Neither, apparently. The recently released 3.2.5 includes this change:
> 
> bug 5775: newer gpg versions require keys to be cross-certified
> (backsig).  Did a cross-verify on our sa-update public key and
> re-exported.  (If you are already seeing "GPG validation failed" errors
> from sa-update, see
> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .)

For the record, I spent some time preparing 3.2.5-1 over the weekend and
will likely upload it once I've had some time to test it...

noah

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Francois Marier <francois@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 486408@bugs.debian.org

Subject: Re: Bug#486408: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Tue, 17 Jun 2008 09:25:18 +1200

On 2008-06-15 at 23:44:01, Adam D. Barratt wrote:
> (If you are already seeing "GPG validation failed" errors
> from sa-update, see
> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .)

Thanks Adam, that worked fine.

Francois

Message #25 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Vincent Danjean <vdanjean@debian.org>

To: Debian Bug Tracking System <486408@bugs.debian.org>

Subject: spamassassin: sa-updade key is not cross-certified

Date: Thu, 19 Jun 2008 08:21:53 +0200

Package: spamassassin
Version: 3.2.4-2
Followup-For: Bug #486408

Using "sa-update -D", we clearly see the problem: gpg refuse to certify
the downloaded file because the used key is not cross-certified.
  The correct fix is to ask upstream to cross-certify its key (by
pointing them to http://www.gnupg.org/faq/subkey-cross-certify.html )

  A workaround I used is to add "--no-require-cross-certification"
in the options passed to gpg in /usr/bin/sa-update (near line 634)

  Best regards,
    Vincent

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-rc5-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages spamassassin depends on:
ii  libdigest-sha1-perl           2.11-2+b1  NIST SHA-1 message digest algorith
ii  libhtml-parser-perl           3.56-1+b1  A collection of modules that parse
ii  libnet-dns-perl               0.63-1+b1  Perform DNS queries from a Perl sc
ii  libsocket6-perl               0.20-1     Perl extensions for IPv6
ii  libsys-hostname-long-perl     1.4-2      Figure out the long (fully-qualifi
ii  libwww-perl                   5.812-1    WWW client/server library for Perl
ii  perl                          5.10.0-10  Larry Wall's Practical Extraction 
ii  perl-modules [libarchive-tar- 5.10.0-10  Core Perl modules

Versions of packages spamassassin recommends:
ii  gcc                           4:4.3.0-8  The GNU C compiler
ii  gnupg                         1.4.9-2    GNU privacy guard - a free PGP rep
ii  libc6-dev                     2.7-12     GNU C Library: Development Librari
ii  libmail-spf-perl              2.005-1    Perl implementation of Sender Poli
ii  libsys-syslog-perl            0.24-1+b1  Perl interface to the UNIX syslog(
ii  make                          3.81-5     The GNU version of the "make" util
ii  re2c                          0.13.3-1   tool for generating fast C-based r
ii  spamc                         3.2.4-2    Client for SpamAssassin spam filte

-- no debconf information

Message #30 received at 486408@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: "Vincent Danjean" <vdanjean@debian.org>, <486408@bugs.debian.org>

Subject: Re: Bug#486408: spamassassin: sa-updade key is not cross-certified

Date: Thu, 19 Jun 2008 09:03:15 +0100

Hi,

Vincent Danjean wrote:
> Package: spamassassin
> Version: 3.2.4-2
> Followup-For: Bug #486408
>
> Using "sa-update -D", we clearly see the problem: gpg refuse to
> certify  the downloaded file because the used key is not cross-certified.
>  The correct fix is to ask upstream to cross-certify its key (by
> pointing them to http://www.gnupg.org/faq/subkey-cross-certify.html )

Upstream have already done this, as per the fragment from the 3.2.5 
changelog I pasted in 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486408#10

Regards,

Adam 

Message #35 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Vincent Danjean <vdanjean@debian.org>

To: 486408@bugs.debian.org

Subject: Re: Bug#486408: spamassassin: sa-updade key is not cross-certified

Date: Thu, 19 Jun 2008 11:01:41 +0200

  Hi,

Adam D. Barratt wrote:
> Vincent Danjean wrote:
>> Package: spamassassin
>> Version: 3.2.4-2
>> Followup-For: Bug #486408
>>
>> Using "sa-update -D", we clearly see the problem: gpg refuse to
>> certify  the downloaded file because the used key is not cross-certified.
>>  The correct fix is to ask upstream to cross-certify its key (by
>> pointing them to http://www.gnupg.org/faq/subkey-cross-certify.html )
> 
> Upstream have already done this, as per the fragment from the 3.2.5
> changelog I pasted in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486408#10

  I do not know how recent this is. But before sending my report,
I manually download the tar.gz, the tar.gz.asc and ask gpg to get
the key from a public keyserver (keys.gnupg.net in my case).
  So, 2 hours ago, their cross certified key were not available
on this public key server yet.

  Looking at the previous answers, I download the new key from
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified
and I just uploaded it to keys.gnupg.net.

  Best regards,
    Vincent

PS: I just discovered that you already answer to this bug before my
message. When reportbug show you a bug, it only show you the first
report :-( I will perhaps send a wishbug to reportbug if I find some
time.

-- 
Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

Message #40 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Ross Boylan <RossBoylan@stanfordalumni.org>

To: Debian Bug Tracking System <486408@bugs.debian.org>

Subject: spamassassin: sa-update errors for last 2 days

Date: Sun, 03 Aug 2008 12:24:11 -0700

Package: spamassassin
Version: 3.2.5-1
Followup-For: Bug #486408

The daily cron job complained
/etc/cron.daily/spamassassin:
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed

Both this morning (Aug 3) and yesterday (Aug 2).  It was not showing
the error before.  I'm not entirely clear from previous info on this
bug if the problem is supposed to be fixed.

The day before the errors started included the following updates:
2008-08-01 21:27:42 status installed gnupg-agent 2.0.9-3
2008-08-01 21:27:43 status installed gnupg2 2.0.9-3
2008-08-01 21:27:43 status installed gpgsm 2.0.9-3

Maybe some change with them, or one of the other recent updates, is responsible?


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages spamassassin depends on:
ii  libdigest-sha1-perl          2.11-2+b1   NIST SHA-1 message digest algorith
ii  libhtml-parser-perl          3.56-1+b1   A collection of modules that parse
ii  libnet-dns-perl              0.63-2      Perform DNS queries from a Perl sc
ii  libsocket6-perl              0.20-1      Perl extensions for IPv6
ii  libsys-hostname-long-perl    1.4-2       Figure out the long (fully-qualifi
ii  libwww-perl                  5.813-1     WWW client/server library for Perl
ii  perl                         5.10.0-11.1 Larry Wall's Practical Extraction 
ii  perl-modules [libarchive-tar 5.10.0-11.1 Core Perl modules

Versions of packages spamassassin recommends:
ii  gcc                           4:4.3.1-2  The GNU C compiler
ii  gnupg                         1.4.9-2    GNU privacy guard - a free PGP rep
ii  libc6-dev                     2.7-10     GNU C Library: Development Librari
ii  libmail-spf-perl              2.005-1    Perl implementation of Sender Poli
ii  libsys-syslog-perl            0.26-1     Perl interface to the UNIX syslog(
ii  make                          3.81-5     The GNU version of the "make" util
ii  re2c                          0.13.5-1   tool for generating fast C-based r
ii  spamc                         3.2.5-1    Client for SpamAssassin spam filte

Versions of packages spamassassin suggests:
ii  libcompress-zlib-p 2.011-1               Perl module for creation and manip
ii  libdbi-perl        1.605-1               Perl5 database interface by Tim Bu
ii  libio-socket-ssl-p 1.13-1                Perl module implementing object or
pn  libmail-dkim-perl  <none>                (no description available)
ii  libnet-ident-perl  1.20-5                lookup the username on the remote 
ii  pyzor              1:0.4.0+cvs20030201-8 spam-catcher using a collaborative
ii  razor              1:2.84-6+b1           spam-catcher using a collaborative

-- no debconf information

Message #45 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Julian Gilbey <jdg@polya.uklinux.net>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 486408@bugs.debian.org

Cc: Francois Marier <francois@debian.org>

Subject: Re: Bug#486408: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Tue, 9 Sep 2008 22:45:23 +0100

On Sun, Jun 15, 2008 at 11:44:01PM +0100, Adam D. Barratt wrote:
> Hi,
> [...]
> 
> Neither, apparently. The recently released 3.2.5 includes this change:
> 
> bug 5775: newer gpg versions require keys to be cross-certified
> (backsig).  Did a cross-verify on our sa-update public key and
> re-exported.  (If you are already seeing "GPG validation failed" errors
> from sa-update, see
> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .)

I've hit the same problem and this solved it.

Could the next Debian version perhaps include the updated GPG key so
that this problem does not continue?

   Julian

Message #48 received at 486408@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: spamassassin@packages.debian.org, 486408@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#486408: cron.daily: The update downloaded successfully, but the GPG signature verification failed

Date: Mon, 22 Sep 2008 11:50:54 +0200

[Message part 1 (text/plain, inline)]

severity 486408 important
thanks

On Tue, Sep 09, 2008 at 10:45:23PM +0100, Julian Gilbey wrote:
> On Sun, Jun 15, 2008 at 11:44:01PM +0100, Adam D. Barratt wrote:
> > Neither, apparently. The recently released 3.2.5 includes this change:
> > bug 5775: newer gpg versions require keys to be cross-certified
> > (backsig).  Did a cross-verify on our sa-update public key and
> > re-exported.  (If you are already seeing "GPG validation failed" errors
> > from sa-update, see
> > http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .)
> I've hit the same problem and this solved it.
> Could the next Debian version perhaps include the updated GPG key so
> that this problem does not continue?

Spamming me too, since the upgrade to Lenny.  Please fix this
pre-release if it's a commonly known problem for upgrades...

Kind regards,
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 486408-close@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: 486408-close@bugs.debian.org

Subject: Bug#486408: fixed in spamassassin 3.2.5-2

Date: Mon, 17 Nov 2008 06:17:04 +0000

Source: spamassassin
Source-Version: 3.2.5-2

We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive:

spamassassin_3.2.5-2.diff.gz
  to pool/main/s/spamassassin/spamassassin_3.2.5-2.diff.gz
spamassassin_3.2.5-2.dsc
  to pool/main/s/spamassassin/spamassassin_3.2.5-2.dsc
spamassassin_3.2.5-2_all.deb
  to pool/main/s/spamassassin/spamassassin_3.2.5-2_all.deb
spamc_3.2.5-2_i386.deb
  to pool/main/s/spamassassin/spamc_3.2.5-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 486408@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated spamassassin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 17 Nov 2008 00:53:11 -0500
Source: spamassassin
Binary: spamassassin spamc
Architecture: source all i386
Version: 3.2.5-2
Distribution: unstable
Urgency: low
Maintainer: Duncan Findlay <duncf@debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Description: 
 spamassassin - Perl-based spam filter using text analysis
 spamc      - Client for SpamAssassin spam filtering daemon
Closes: 470834 481696 486408 491232 501122 505273
Changes: 
 spamassassin (3.2.5-2) unstable; urgency=low
 .
   [ Duncan Findlay ]
   * Add Recommends: on libio-socket-inet6-perl (Closes: 481696)
   * Ship GPG.KEY and call sa-update --import in the postinst to work
     around broken key. (Closes: 486408)
   * Work around permissions issues from sa-compile and sa-update. (Closes:
     491232, 470834)
 .
   [ Noah Meyerhans ]
   * Remove obsolete DSBL blacklist (Closes: #501122)
   * Bump standards version to 3.8.0.  This should have been done with
     3.2.5-1, since that's where we made the changes to support this
     version.
   * Document the fact that spamhaus and SURBL are free only for smaller
     sites and may require sites exceeding a certain threshold of mail
     volume to pay for service.  (Closes: #505273)
Checksums-Sha1: 
 722bf82a4f7753e6587409c97ad061b7d12c529e 1401 spamassassin_3.2.5-2.dsc
 b0849a9eb2d407beebd3a90cd3d0885943feca62 33926 spamassassin_3.2.5-2.diff.gz
 7696b88fbe5f742546742ae669d7f2a847ae4f6b 1097202 spamassassin_3.2.5-2_all.deb
 e06c13ecf28bd799357363293a7f759e8650654e 72472 spamc_3.2.5-2_i386.deb
Checksums-Sha256: 
 8268001f7c0e1f82399898eb0b395fd765e048e5a6195769ed7b7726995e0b3b 1401 spamassassin_3.2.5-2.dsc
 1bae9cd22f4390853ca1a5686bfba00d2c9ce69afe0fe71691f249aae84930dd 33926 spamassassin_3.2.5-2.diff.gz
 afdb1c01d3623dc17d4d3c1130545a5586206f61d173ec937d7d5b4eaa600036 1097202 spamassassin_3.2.5-2_all.deb
 c44f963f8b736915c8ed36a000268652b1ba49c48fae190430669a8e20459b6c 72472 spamc_3.2.5-2_i386.deb
Files: 
 9eb64f64b2fc9dd3069b5ed3f73960ec 1401 mail optional spamassassin_3.2.5-2.dsc
 300cc5e6f301131711ac9d16bdc98936 33926 mail optional spamassassin_3.2.5-2.diff.gz
 043cc5c9e09111959ab9d73a8243405b 1097202 mail optional spamassassin_3.2.5-2_all.deb
 fec22fdf9b7f34bd08f5bc002dc3b896 72472 mail optional spamc_3.2.5-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJIQfSYrVLjBFATsMRApLrAJsGAWXvpvVMwGo1Ues85iA7dc28UACeLbRm
+uuvrVGT8cDerbsXuP4cwK4=
=qlMF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.