I setup a test environment to re-run the recreation script I attached above while using the fix from xenial-proposed.
What I found was that the fix helps but is not perfect. While the UCA repo is in the hourly update time window, the apt-get update can still leave the user in the error case where you have the Release file but not the Release.gpg file. However, WITH this fix a subsequent apt-get update resolves the issue and will pull down the Release.gpg file. This is in contrast to WITHOUT the fix no amount of apt-get update calls would fix the issue until after the next hourly UCA update. So my verdict is that this fix should go through as it allows automated tooling to simply do apt-get update retries and self-resolve the missing gpg issue. Any further changes are probably required in the Ubuntu Cloud Archive itself to close the "partially updated" window that is part of the error case trigger. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1657440 Title: apt won't redownload Release.gpg after inconsistent cache updates made while UCA is being updated Status in APT: Fix Released Status in apt package in Ubuntu: Fix Released Status in apt source package in Xenial: Fix Committed Status in apt source package in Yakkety: In Progress Bug description: # apt --version apt 1.2.18 (amd64) xenial I got myself into a situation where a repository has a Release and a Release.gpg file, but apt is just ignoring the gpg one and won't download it via apt update for some reason: The repository in question is http://ubuntu- cloud.archive.canonical.com/ubuntu/dists/xenial-updates/newton/. See how locally I have just the Release file: root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# l *Release* -rw-r--r-- 1 root root 100K Jan 15 18:03 archive.ubuntu.com_ubuntu_dists_xenial-backports_InRelease -rw-r--r-- 1 root root 242K Apr 21 2016 archive.ubuntu.com_ubuntu_dists_xenial_InRelease -rw-r--r-- 1 root root 100K Jan 18 11:42 archive.ubuntu.com_ubuntu_dists_xenial-updates_InRelease -rw-r--r-- 1 root root 100K Jan 18 11:42 security.ubuntu.com_ubuntu_dists_xenial-security_InRelease -rw-r--r-- 1 root root 7.7K Jan 18 11:45 ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release Now I try an update. See how the Release.gpg file gets a "Hit:" instead of a "Get:": root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt update Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease Ign:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton InRelease Get:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Hit:5 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release Get:6 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release.gpg [543 B] Hit:7 http://archive.ubuntu.com/ubuntu xenial-backports InRelease Fetched 205 kB in 0s (395 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 8 packages can be upgraded. Run 'apt list --upgradable' to see them. And I can't install packages: root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt dist-upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: python3-setuptools The following packages will be upgraded: dh-python dnsmasq-base python-pkg-resources python-setuptools python3-cryptography python3-pkg-resources python3-requests python3-urllib3 8 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 1,193 kB of archives. After this operation, 808 kB of additional disk space will be used. Do you want to continue? [Y/n] WARNING: The following packages cannot be authenticated! dh-python dnsmasq-base python-setuptools python-pkg-resources python3-pkg-resources python3-setuptools python3-cryptography python3-requests python3-urllib3 Install these packages without verification? [y/N] n E: Some packages could not be authenticated root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# Somehow apt is thinking it has the Release.gpg file, but it doesn't? This server is behind a squid proxy. [Impact] An apt update of an apt repository that does not use InRelease during the time it is being updated can cause the gpg file to not be downloaded and updated. This makes the packages from the repository be unable to be authenticated. The Ubuntu Cloud Archive is one of the archives that meets this criteria. The impact to downstream automation deployment code is that if they are adding the UCA repo to a system and calling apt update during the time the UCA is being updated by Canonical, the repo can get into a state where the Release.gpg file is not there and all package installs will fail due to "unauthenticated packages" error. [Test Case] A detailed python script was attached. To reproduce this outside that script you would want to: 1. Add the UCA repo 2. Do the following in a loop starting at 43 minutes after the hour and run it until 55 minutes after the hour: 2.1 Remove these files to simulate the UCA repo being added the first time. /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release.gpg /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_main_binary*Packages 2.2 apt-get update 3. Check the state of the 3 files you deleted. If you have the _Release file but not the _Release.gpg you have recreated the issue. 4. If you have not recreated the issue, continue GOTO 2 and continue to loop. [Regression Potential] Unknown To manage notifications about this bug go to: https://bugs.launchpad.net/apt/+bug/1657440/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
