Opened 6 years ago

Closed 2 years ago

#56704 closed defect (worksforme)

archivefetch failed verification with key /opt/local/share/macports/macports-pubkey.pem

Reported by: psiqueira (Paul Siqueira) Owned by:
Priority: Normal Milestone:
Component: base Version: 2.5.2
Keywords: Cc: mascguy (Christopher Nielsen)
Port:

Description (last modified by jmroot (Joshua Root))

Since running selfupdate (2.5.2) and upgrading outdated a few months ago, I have been having a problem with my macport installation for the past several months.

What it amounts to is that it seems to be related to the public-key verification step when downloading and/or updating software. This happens whether I am installing wget, or any other software.

To fix the problem, I have gone so far as to re-install XQuartz and macports, but still to no avail. Hence, I am really stuck.

Below is the output from the log file that is associated with my most recent attempt at installing wget.

Any help or suggestions that you can give to get me over this hump that is crippling my system would be very much appreciated!

--- main.log ---

:debug:sysinfo macOS 10.13 (darwin/17.6.0) arch i386
:debug:sysinfo MacPorts 2.5.2
:debug:sysinfo Xcode 9.4.1
:debug:sysinfo SDK 10.13
:debug:sysinfo MACOSX_DEPLOYMENT_TARGET: 10.13
:debug:main dropping privileges: euid changed to 502, egid changed to 501.
:debug:main Executing org.macports.main (libiconv)
:debug:main Privilege de-escalation not attempted as not running as root.
:debug:archivefetch archivefetch phase started at Wed Jun 20 10:33:44 EDT 2018
:msg:archivefetch --->  Fetching archive for libiconv
:debug:archivefetch Executing org.macports.archivefetch (libiconv)
:debug:archivefetch euid/egid changed to: 0/0
:debug:archivefetch chowned /opt/local/var/macports/incoming to macports
:debug:archivefetch euid/egid changed to: 502/501
:info:archivefetch --->  libiconv-1.15_0.darwin_17.x86_64.tbz2 doesn't seem to exist in /opt/local/var/macports/incoming/verified
:msg:archivefetch --->  Attempting to fetch libiconv-1.15_0.darwin_17.x86_64.tbz2 from http://jog.id.packages.macports.org/macports/packages/libiconv
:msg:archivefetch --->  Attempting to fetch libiconv-1.15_0.darwin_17.x86_64.tbz2.rmd160 from http://jog.id.packages.macports.org/macports/packages/libiconv
:debug:archivefetch failed verification with key /opt/local/share/macports/macports-pubkey.pem
:debug:archivefetch openssl output: Verification Failure
:debug:archivefetch child process exited abnormally
:warn:archivefetch Failed to verify signature for archive!
:error:archivefetch Failed to archivefetch libiconv: version @1.15_0
:debug:archivefetch Error code: NONE
:debug:archivefetch Backtrace: version @1.15_0
:debug:archivefetch     while executing
:debug:archivefetch "error "version @[option version]_[option revision][option portvariants]""
:debug:archivefetch     (procedure "portarchivefetch::fetchfiles" line 144)
:debug:archivefetch     invoked from within
:debug:archivefetch "portarchivefetch::fetchfiles"
:debug:archivefetch     (procedure "portarchivefetch::archivefetch_main" line 5)
:debug:archivefetch     invoked from within
:debug:archivefetch "$procedure $targetname"
:error:archivefetch See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_textproc_libiconv/libiconv/main.log for details.

Change History (8)

comment:1 Changed 6 years ago by jmroot (Joshua Root)

Description: modified (diff)
Keywords: verification failure removed
Port: wget and others removed

Downloading the archive and signature from the same server you're getting them from and verifying manually with openssl works fine here:

% openssl dgst -ripemd160 -verify /opt/local/share/macports/macports-pubkey.pem -signature libiconv-1.15_0.darwin_17.x86_64.tbz2.rmd160 libiconv-1.15_0.darwin_17.x86_64.tbz2
Verified OK

The archive, the signature or both must be getting corrupted in transit somehow. See wiki:MisbehavingServers for some ways that might be happening. Good luck, network issues like this can be tricky.

comment:2 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)

We have had similar reports before, which were caused either by incorrect permissions in your /private/tmp directory, or interference from antivirus software (try disabling it).

comment:3 in reply to:  1 ; Changed 6 years ago by psiqueira (Paul Siqueira)

Replying to jmroot:

Downloading the archive and signature from the same server you're getting them from and verifying manually with openssl works fine here:

% openssl dgst -ripemd160 -verify /opt/local/share/macports/macports-pubkey.pem -signature libiconv-1.15_0.darwin_17.x86_64.tbz2.rmd160 libiconv-1.15_0.darwin_17.x86_64.tbz2
Verified OK

The archive, the signature or both must be getting corrupted in transit somehow. See wiki:MisbehavingServers for some ways that might be happening. Good luck, network issues like this can be tricky.

Hmmm, are you saying that I can run the openssl command on my local computer and that it should be able to verify ok? I tried this and it doesn't work, but I get the impression that I don't fully understand. I think that you are just showing that there is nothing wrong with the signature generated for the port, which makes sense. In short, something more serious is going on, but I am at a loss to understand what it is.

BTW, I did try using two different networks, and continue to have the same problem.

A question: where does the macports-pubkey.pem get generated? Is it possible that there is something in my configuration that is messing that up?

comment:4 in reply to:  2 Changed 6 years ago by psiqueira (Paul Siqueira)

Replying to ryandesign:

We have had similar reports before, which were caused either by incorrect permissions in your /private/tmp directory, or interference from antivirus software (try disabling it).

I am using Avast (13.9) for my security. I did disable it and still have the same problem. Similarly, for /private/tmp, the permissions are: " drwxrwxrwt 29 root wheel 986 Jun 20 19:57 tmp ", and I am always using sudo for the install.

comment:5 in reply to:  3 Changed 6 years ago by jmroot (Joshua Root)

Replying to psiqueira:

Hmmm, are you saying that I can run the openssl command on my local computer and that it should be able to verify ok?

No, I'm saying I ran it on the files that you downloaded and it verified as correct. Which implies that the files you got are not the same as the files I got, for whatever reason.

A question: where does the macports-pubkey.pem get generated? Is it possible that there is something in my configuration that is messing that up?

It's distributed with the base MacPorts installation. https://github.com/macports/macports-base/blob/master/macports-pubkey.pem

comment:6 Changed 2 years ago by mascguy (Christopher Nielsen)

Cc: mascguy added

comment:7 Changed 2 years ago by mascguy (Christopher Nielsen)

Can we close this issue?

comment:8 Changed 2 years ago by mascguy (Christopher Nielsen)

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.