• Bug#1106779: gpg: "No good signature" when doing `apt- update`

    From Stefan Monnier@21:1/5 to All on Thu May 29 19:10:02 2025
    Package: gpg
    Version: 2.4.7-17
    Severity: important
    User: debian-qa@lists.debian.org
    Usertags: i386

    Dear Maintainer,

    One my machines can't update its APT database because every `apt update` fails with:

    ```
    # apt-get update
    Get:1 http://security.debian.org stable-security InRelease [48.0 kB]
    Get:2 http://security.debian.org testing-security InRelease [48.0 kB]
    Get:3 http://deb.debian.org/debian stable InRelease [151 kB]
    Err:1 http://security.debian.org stable-security InRelease
    No good signature
    Err:2 http://security.debian.org testing-security InRelease
    No good signature
    Get:4 http://deb.debian.org/debian testing InRelease [178 kB]
    Err:3 http://deb.debian.org/debian stable InRelease
    No good signature
    Err:4 http://deb.debian.org/debian testing InRelease
    No good signature
    Reading package lists... Done
    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://security.debian.org stable-security InRelease: No good signature
    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://security.debian.org testing-security InRelease: No good signature
    W: OpenPGP signature verification failed: http://deb.debian.org/debian stable InRelease: No good signature
    E: The repository 'http://deb.debian.org/debian stable InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    W: OpenPGP signature verification failed: http://deb.debian.org/debian testing InRelease: No good signature
    E: The repository 'http://deb.debian.org/debian testing InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    #
    ```

    I checked the `cat /etc/apt/sources.list.d/debian.sources` and the `/usr/share/keyrings/debian-archive-keyring.gpg` file it points to, and their md5sum is exactly the same as on another machine where it works fine.

    The issue appears to be that the new version of GPG (or some library on which it depends) uses an instruction that's not supported by my CPU (Pentium III), although AFAIK a Pentium III should still be supported.

    The reason why I think that's the issue is not only that this is the only machine I have with such an old CPU (and I've had similar problems with it in the past) but also because the above four "No good signature" messages are accompagnied by the following 4 lines in `dmesg`:

    ```
    [662377.292836] traps: sqv[21420] trap invalid opcode ip:6e3ac9 sp:bf9fe160 error:0 in sqv[21eac9,4d5000+231000]
    [662377.364879] traps: sqv[21421] trap invalid opcode ip:65dac9 sp:bfd72a80 error:0 in sqv[21eac9,44f000+231000]
    [662377.401355] traps: sqv[21422] trap invalid opcode ip:6a4ac9 sp:bf86ac70 error:0 in sqv[21eac9,496000+231000]
    [662377.457522] traps: sqv[21423] trap invalid opcode ip:65dac9 sp:bfcb1610 error:0 in sqv[21eac9,44f000+231000]
    ```


    -- System Information:
    Debian Release: 13.0
    APT prefers testing
    APT policy: (990, 'testing'), (500, 'stable-security'), (100, 'stable') Architecture: i386 (x86_64)
    Foreign Architectures: amd64

    Kernel: Linux 6.12.25-amd64 (SMP w/8 CPU threads; PREEMPT)
    Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages gpg depends on:
    ii gpgconf 2.4.7-17
    ii init-system-helpers 1.68
    ii libassuan9 3.0.2-2
    ii libbz2-1.0 1.0.8-6
    ii libc6 2.41-8
    ii libgcrypt20 1.11.0-7
    ii libgpg-error0 1.51-4
    ii libksba8 1.6.7-2+b1
    ii libnpth0t64 1.8-3
    ii libreadline8t64 8.2-6
    ii libsqlite3-0 3.46.1-4
    ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

    Versions of packages gpg recommends:
    ii gnupg 2.4.7-17

    gpg suggests no packages.

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Thu May 29 23:30:02 2025
    reassign 1106779 sqv
    thanks

    ```
    [662377.292836] traps: sqv[21420] trap invalid opcode ip:6e3ac9 sp:bf9fe160 error:0 in sqv[21eac9,4d5000+231000]
    [662377.364879] traps: sqv[21421] trap invalid opcode ip:65dac9 sp:bfd72a80 error:0 in sqv[21eac9,44f000+231000]
    [662377.401355] traps: sqv[21422] trap invalid opcode ip:6a4ac9 sp:bf86ac70 error:0 in sqv[21eac9,496000+231000]
    [662377.457522] traps: sqv[21423] trap invalid opcode ip:65dac9 sp:bfcb1610 error:0 in sqv[21eac9,44f000+231000]
    ```

    I just confirmed now that downgrading to the version of `sqv` in
    Debian stable (which also downgraded `apt` and `apt-utils`) brings the
    system back to a usable state.

    So it seems the problem is in the `sqv` executable itself and not in the libraries it uses.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Hofstaedtler@21:1/5 to All on Fri May 30 12:10:01 2025
    * Stefan Monnier <monnier@iro.umontreal.ca> [250529 23:27]:
    ```
    [662377.292836] traps: sqv[21420] trap invalid opcode ip:6e3ac9 sp:bf9fe160 >> error:0 in sqv[21eac9,4d5000+231000]
    [662377.364879] traps: sqv[21421] trap invalid opcode ip:65dac9 sp:bfd72a80 >> error:0 in sqv[21eac9,44f000+231000]
    [662377.401355] traps: sqv[21422] trap invalid opcode ip:6a4ac9 sp:bf86ac70 >> error:0 in sqv[21eac9,496000+231000]
    [662377.457522] traps: sqv[21423] trap invalid opcode ip:65dac9 sp:bfcb1610 >> error:0 in sqv[21eac9,44f000+231000]
    ```

    I just confirmed now that downgrading to the version of `sqv` in
    Debian stable (which also downgraded `apt` and `apt-utils`) brings the
    system back to a usable state.

    The architecture baseline for i386 was raised. Could you please post
    the output of `cat /proc/cpuinfo`, so we can understand this better?

    Best,
    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Fri May 30 23:20:02 2025
    I just confirmed now that downgrading to the version of `sqv` in
    Debian stable (which also downgraded `apt` and `apt-utils`) brings the >>system back to a usable state.

    The architecture baseline for i386 was raised.

    According to https://wiki.debian.org/ArchitectureSpecificsMemo#i386-1
    [ FWIW, it was difficult to find that page, because the natural search
    terms like "baseline" are missing. ]:

    - i686 since Debian 12 'bookworm'. There's no MMX nor SSE.
    - Before that, "almost" i686 (no "long NOP"/NOPL) since Debian 9 'stretch' (gcc-6 6.1.1-1).
    - Before that, i586 since gcc-4.9 4.9-20140411-1 (2014).
    - Before that, i486 since gcc-4.1 4.1ds7-0exp7 (2006).
    - Before that, i386.

    Whereas my processor is a Pentium-III (mobile), i.e. an evolution of the Pentium-II itself an evolution of the famous Pentium Pro (aka *the*
    original i686). It has SSE but not SSE2 which only came a bit later.

    [ The vast majority of CPUs after i686 are already supported via amd64,
    so I don't understand what would be the benefit of raising the baseline
    even further. ]

    Could you please post the output of `cat /proc/cpuinfo`, so we can
    understand this better?

    Will do as soon as I'm back in the office where I have access to
    that laptop.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)