pveam update failed, gpgv: BAD signature

[jieiku]

I am not sure if this issue is on my end or upstream, can anyone verify if pveam update works?

turnkey seems ok, but bullseye is showing BAD signature.

pveam update
update failed - see /var/log/pveam.log for details

2022-04-26 14:34:21 starting update

2022-04-26 14:34:21 start download http://download.proxmox.com/images/aplinfo-pve-7.dat.asc
2022-04-26 14:34:22 download finished: 200 OK
2022-04-26 14:34:22 start download http://download.proxmox.com/images/aplinfo-pve-7.dat.gz
2022-04-26 14:34:22 download finished: 200 OK
2022-04-26 14:34:22 signature verification: gpgv: Signature made Sun Apr 24 04:18:36 2022 PDT
2022-04-26 14:34:22 signature verification: gpgv:                using RSA key 28139A2F830BD68478A1A01FDD4BA3917E23BF59
2022-04-26 14:34:22 signature verification: gpgv: BAD signature from "Proxmox Bullseye Release Key <proxmox-release@proxmox.com>"
2022-04-26 14:34:22 unable to verify signature - command '/usr/bin/gpgv -q --keyring /usr/share/doc/pve-manager/trustedkeys.gpg /var/lib/pve-manager/apl-info/pveam-download.proxmox.com.tmp.3142303.asc /var/lib/pve-manager/apl-info/pveam-download.proxmox.com.tmp.3142303' failed: exit code 1

2022-04-26 14:34:22 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.asc
2022-04-26 14:34:22 download finished: 200 OK
2022-04-26 14:34:22 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.gz
2022-04-26 14:34:22 download finished: 200 OK
2022-04-26 14:34:22 signature verification: gpgv: Signature made Sun Nov  7 03:25:46 2021 PST
2022-04-26 14:34:22 signature verification: gpgv:                using RSA key 694CFF26795A29BAE07B4EB585C25E95A16EB94D
2022-04-26 14:34:22 signature verification: gpgv: Good signature from "Turnkey Linux Release Key <release@turnkeylinux.com>"
2022-04-26 14:34:22 update successful

apt-key list

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). 
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg 
------------------------------------------------------------ 
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15] 
      1F89 983E 0081 FDE0 18F3  CC96 73A4 F27B 8DD4 7936 
uid           [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org> 
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15] 

/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg 
--------------------------------------------------------------------- 
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15] 
      AC53 0D52 0F2F 3269 F5E9  8313 A484 4904 4AAD 5C5D 
uid           [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org> 
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15] 

/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg 
--------------------------------------------------------- 
pub   rsa4096 2021-02-13 [SC] [expires: 2029-02-11] 
      A428 5295 FC7B 1A81 6000  62A9 605C 66F0 0D6C 9793 
uid           [ unknown] Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org> 

/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg 
--------------------------------------------------- 
pub   rsa4096 2020-11-09 [SC] [expires: 2030-11-07] 
      2813 9A2F 830B D684 78A1  A01F DD4B A391 7E23 BF59 
uid           [ unknown] Proxmox Bullseye Release Key <proxmox-release@proxmox.com>

cat /etc/apt/{sources.list,sources.list.d/*.list}

deb http://ftp.us.debian.org/debian bullseye main contrib 

deb http://ftp.us.debian.org/debian bullseye-updates main contrib 

# security updates 
deb http://security.debian.org bullseye-security main contrib 
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

apt-get update

Hit:1 http://security.debian.org bullseye-security InRelease 
Hit:2 http://download.proxmox.com/debian/pve bullseye InRelease 
Get:3 http://ftp.us.debian.org/debian bullseye InRelease [116 kB] 
Get:4 http://ftp.us.debian.org/debian bullseye-updates InRelease [39.4 kB] 
Fetched 155 kB in 1s (164 kB/s)      
Reading package lists... Done

 

[t.lamprecht]

I am not sure if this issue is on my end or upstream, can anyone verify if pveam update works?

Works fine here. Is this reproducible on retry?

What IP does our download CDN get resolved in your setup?
ping download.proxmox.com

Can you please also post the SHA2 sum of the one you get currently:
sha256sum aplinfo-pve-7.dat.gz

 

[jieiku]

hello, thank you for the response.

This is reproducible, it happens every time, I have also tried rebooting, and retried hours later.

This did not happen on one of my other proxmox machines at my mothers house, but it did happen on mine, the only thing I can think of that is different between the two is on my proxmox I updated sooner from buster to bullseye, and I did my mothers proxmox months later, not sure that it would matter. (both of them have been on pve7 for many months now, and are both currently 7.1-12)

ping download.proxmox.com 
PING na.cdn.proxmox.com (144.217.225.162) 56(84) bytes of data.
64 bytes from na.cdn.proxmox.com (144.217.225.162): icmp_seq=1 ttl=50 time=81.6 ms

I used wget to check it:

wget http://download.proxmox.com/images/aplinfo-pve-7.dat.gz
Connecting to download.proxmox.com (download.proxmox.com)|144.217.225.162|:80... connected.
sha256sum aplinfo-pve-7.dat.gz
97cfd68ecd96dabb87961a2c3c09cb2392203b30596c466e437a142b9a23a9f9  aplinfo-pve-7.dat.gz

 

[jieiku]

Whatever the problem was it seems to have cleared up just now, It must have been some kind of cache issue?

Thanks so much for the help t.lamprecht, I really appreciate it!

 

[t.lamprecht]

sha256sum aplinfo-pve-7.dat.gz 97cfd68ecd96dabb87961a2c3c09cb2392203b30596c466e437a142b9a23a9f9 aplinfo-pve-7.dat.gz

That was definitively wrong though, the last update of the index was done on Sunday, since then (and until the next update) the sha256sum should read 23a90d6ebce47da1f31dc06605963543873c6d67fb7512648655f76508a47b78.

This is reproducible, it happens every time, I have also tried rebooting, and retried hours later.

out of interest: did it started to happen recently or was it broken since a while?

Whatever the problem was it seems to have cleared up just now, It must have been some kind of cache issue?

Are you behind a reverse proxy (or a really bad ISP)?
If you say it only happened recently I'd also give some caching issue the fault for this, otherwise it really seems a bit too odd, (almost like a MITM?).

Anyhow, glad that it works now again.

 

[jieiku]

I am not sure how long it was an issue for, I am only aware of less than 12 hours.

I knew that Ubuntu 22.04 was out so I wanted to run pveam update so that I could grab the latest template.

When I seen the same ip but different files I suspected our reverse proxy was to blame, I previously cleared it's local cache so I had ruled that out, the only thing I can think of is that it was somehow still serving old data.

 

[NiccyB]

I've just had exactly the same thing...

root@vm2:~# pveam update
update failed - see /var/log/pveam.log for details
root@vm2:~# tail /var/log/pveam.log
2022-11-14 10:05:20 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.asc
2022-11-14 10:05:21 download finished: 200 OK
2022-11-14 10:05:21 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.gz
2022-11-14 10:05:21 download finished: 200 OK
2022-11-14 10:05:21 signature verification: gpgv: Signature made Mon Nov 14 09:42:05 2022 GMT
2022-11-14 10:05:21 signature verification: gpgv: using RSA key 694CFF26795A29BAE07B4EB585C25E95A16EB94D
2022-11-14 10:05:21 signature verification: gpgv: BAD signature from "Turnkey Linux Release Key <release@turnkeylinux.com>"
2022-11-14 10:05:21 unable to verify signature - command '/usr/bin/gpgv -q --keyring /usr/share/doc/pve-manager/trustedkeys.gpg /var/lib/pve-manager/apl-info/pveam-releases.turnkeylinux.org.tmp.5121.asc /var/lib/pve-manager/apl-info/pveam-releases.turnkeylinux.org.tmp.5121' failed: exit code 1

Looks a bit suspicious that the signature was made earlier this morning - unless I'm completely misunderstanding how GPG works (which is entirely possible!).

N.

 

[NiccyB]

I've just had exactly the same thing...

Tried it again 20 minutes later and it worked.

root@vm2:~# pveam update
update successful
root@vm2:~# tail /var/log/pveam.log

2022-11-14 10:28:11 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.asc 2022-11-14 10:28:11 download finished: 200 OK 2022-11-14 10:28:11 start download https://releases.turnkeylinux.org/pve/aplinfo.dat.gz 2022-11-14 10:28:11 download finished: 200 OK 2022-11-14 10:28:11 signature verification: gpgv: Signature made Mon Nov 14 09:42:05 2022 GMT 2022-11-14 10:28:11 signature verification: gpgv: using RSA key 694CFF26795A29BAE07B4EB585C25E95A16EB94D 2022-11-14 10:28:11 signature verification: gpgv: Good signature from "Turnkey Linux Release Key <release@turnkeylinux.com>" 2022-11-14 10:28:11 update successful

Now I'm completely bamboozled.

N.