debian repo.nagios.com signature issue

[francescm]

hi everybody,

I am using the nagios debian repo to download and keep in-sync the ncpa package (by the way: great software). Since a couple of days the

$ sudo apt-get update

fails with error:

Code: Select all

The repository 'https://repo.nagios.com/deb/bookworm  InRelease' provides only weak security information.

can you please confirm if it's a issue of me or a setup mishup?

thank you so much!

francescm

[JimKeating]

We're having the same problem with Ubuntu 20.04 upgrades and any apt update on new Ubuntu 24.04. Please help! Thx


fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: W:Updating from such a repository can't be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creation and user configuration details., E:Unable to parse package file (1), E:The repository 'https://repo.nagios.com/deb/jammy InRelease' provides only weak security information."}

[cdenega]

Hi,
We are experiencing the same issue with the https://repo.nagios.com/deb/ repository on multiple Ubuntu versions: 20.04, 22.04, and 24.04.
In all cases, apt-get update fails with a message stating that the repository provides only weak security information.

[antonc42]

I'm also having this same issue. Looking at the "InRelease" file, it looks like it was updated on May 1st.

Comparing to the "InRelease" file from one of the older unsupported repos, I notice that the hash lines are indented by one space in the old file:

Code: Select all

MD5Sum:
 4b9709d7ffb40aabb9d086b09b4b8372 11672 Packages
 6f78f5b7ae36e53d0e55330d1247a4d7 2040 Packages.gz
 d41d8cd98f00b204e9800998ecf8427e 1083 Release
SHA1:
 2952376b986e36dce7613ecb1ab8e1469eb9d734 11672 Packages
 7956946a114ba7ed7ebf9ffb1e585cdc4b285089 2040 Packages.gz
 da39a3ee5e6b4b0d3255bfef95601890afd80709 1083 Release
SHA256:
 60eebe0dc0db33cbf7f13987eb92767a2a75a0e2fc8c1b6fc780e859e16a9d31 11672 Packages
 63f83e1bb0fe22a2d8e05dfe355abf9e56562c6b88a8c79544469b7a0ac2f0fb 2040 Packages.gz
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 1083 Release
SHA512:
 4f965c81347c6c8bdb894135254070deab2b3e732e89e5af380e9b57d1243d87fc5dfb82a82682f6949989106f3019eedb98f65b8cfc9f57200bdc1a55524419 11672 Packages
 4d3c20b18c3b0b1f44ea869388c1ff046b19b0232a6a5775635d0b5ca13d8bb4b761a67b474102334aa6ce0a2911cd0001c20120534c8ecf0a4f5254c4cbc2d0 2040 Packages.gz
 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 1083 Release

While in the new file, they are not indented:

Code: Select all

MD5Sum:
a6cc4be4c6b0e5caf5df4c9bef37be2a 12010 Packages
82049c85d43f5d0d9983f3d952dfa49a 2703 Packages.gz
bdf6c9303aae2a5ed0f9b715438826a7 1071 Release
SHA1:
afe46de6a8e20aedb4bb42e2b614b43f543889bf 12010 Packages
7b6ea2aac1e36ea3d987fb409133f6aef9613414 2703 Packages.gz
dce3353336076dbfa1e5a968ecd20ed3f91ee2b0 1071 Release
SHA256:
17907ccfb8258800ab06d798f3a909026be13fec00cee947f64daaa7ac34bcb3 12010 Packages
578f4a00a7ec4b7deceac4a27ce0f2d0da74f6cc5ff03a54f7d93dc4ea1c871f 2703 Packages.gz
0e25df4eba50929a83679d20270499d1016f794861986419c3a4b5974b86ea0c 1071 Release
SHA512:
2d776dd337ee7c3f88edcb20699e949963d57d907fae96849bd7a682754ad4762a419b9fb59859e3d17561d782338209aa64ec9b5268991120a6c325921caefc 12010 Packages
d75b5c83e7d5122c082461ebbb9bae34c332c860ea79bb33bb8c1c889a86462254303c54262fbe3258fd1aa5af0986f4b0a6715c0d5ba9baf9080d34baa856d2 2703 Packages.gz
74b96e5fb2ed8e504607e3bf391b8f2cdf2a01aecc02275b612be44a1d6587f45e5a79ee1ed2f849d7a4c5bdab7f869c822af32bdda6b2164c325566dc3f56af 1071 Release

I'm not an expert, so this is just a guess, but this may be the cause of the problem. See: https://wiki.debian.org/DebianRepositor ... .2C_SHA256

Each datum must be separated by one or more whitespace characters.

[antonc42]

It looks like someone is working on this. I see indenting in some of the InRelease files now.

I tried the https://repo.nagios.com/deb/noble repo today and got a different error:

Code: Select all

W: GPG error: https://repo.nagios.com/deb/noble  InRelease: The following signatures were invalid: BADSIG 471D5F4645ECF0AD Nagios Enterprises LLC <[email protected]>
E: The repository 'https://repo.nagios.com/deb/noble  InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[afried]

Hello. Sorry for taking so long to address this issue.

We found a problem how our most current NCPA repos were signed. We have resolved this issue, Please try again and let us know if you were successful.

[cdenega]

Hi,

We’ve just tested it again on Ubuntu 20.04, 22.04, and 24.04, and it’s now working correctly. Thanks for addressing the issue!

Best regards.

[bbahn]

Glad to hear it's working for you now. Thanks for your patience!

[JimKeating]

This issue seems to be fixed now. It's working again for our organization. Cheers! JK

[JimKeating]

This was broken in May of this year and was fixed in a day or so. It is broken again. Please help get this resolved. Thanks, JK

E: Unable to parse package file (1)
E: The repository 'https://repo.nagios.com/deb/jammy InRelease' provides only weak security information.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.