I'm trying to install Terraform on Ubuntu with:
https://developer.hashicorp.com/terraform/tutorials/docker-get-started/install-cli
When trying to verify Hashicorp's GPG signing key I see this command
gpg --no-default-keyring \
--keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
--fingerprint
should have the expected output of
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub rsa4096 2020-05-07 [SC]
E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B
uid [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging#hashicorp.com>
sub rsa4096 2020-05-07 [E]
as of the posting of this question. This also matches Hashicorp's Security page under the heading Linux Package Checksum Verification.
However, I see a new key created 2023-01-10 instead:
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701
uid [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging#hashicorp.com>
sub rsa4096 2023-01-10 [S] [expires: 2028-01-09]
Am I correct in not trusting this key, as until Hashicorp fixes their documentation, this could be a compromised key?
HashiCorp has rotated its main signing keys this week.
The updated key, along with a note confirming the change of key, is now in the Official Packaging Guide document.
Related
I'm working with linux gnuPG. It looks like at some point I received a public key without a UID. I've since receaved a new key, with uid, but the original key can not be deleted from the chain. Further more when trying to restore keys from a backup it fails at this key.
$ gpg --delete-keys D7FA4AC2
gpg (GnuPG) 2.0.22; Copyright ...
Fatal error: Invalid argument
Aborted
$gpg --list-keys --keyid-format long D7FAC2
pub 2048/83191D...
uid
sub 2048R/E1387...
$gpg --delete-key 83191D...
gpg (GnuPG) 2.0.22; Copyright ...
Fatal error: Invalid argument
Aborted
I'm getting "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: duplicate consenter error when attempting to join a new orderer node to a new channel.
Status: 400
{
"error": "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: duplicate consenter: server cert: -----BEGIN CERTIFICATE-----<serverCertificate>-----END CERTIFICATE-----\n, client cert: -----BEGIN CERTIFICATE-----<clientCertificate>-----END CERTIFICATE-----\n"
}
The <serverCertificate> and <clientCertificate> embedded in the error message are both tls certificates. The <clientCertificate> is for one of the nodes which I'm not even attemptiing to joining to a channel yet.
I'm following the "Creating a Channel" tutorial from version 2.4 documentation, without docker.
I have created all the required certificates (both tls and id
certificates) and folder structures.
The orderer nodes are successfully started.
The genesis block is successfully created.
However, the above error occurs when I run the following CLI, irrespective of the referenced orderers' endpoint.
osnadmin channel join --channelID channel.ppty --config-block /home/dionly/hyperledger/fabric/2.4.3/config/genesis_block.pb -o hlfdev:7443 --ca-file $OSN_TLS_CA_ROOT_CERT --client-cert $ADMIN_TLS_SIGN_CERT --client-key $ADMIN_TLS_PRIVATE_KEY
I have checked the orderer.yaml and configtx.yaml files for duplicate reference to the offending certificates. None was found.
I have also queried TLS CA
$ ./fabric-ca-client identity list -u https://hlfdev:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --mspdir tls-ca/tlscaadmin/msp
in case somehow I managed to create a duplicate registry. That does not seem to be the case.
I have gone through the tutorial more times than I can count and always get stock at this same point.
I'd really appreciate any suggestion on what is causing this and how to progress past it.
I'm trying to build a Docker image, based on ubuntu:20.04, with R and bookdown with PDF support. But I'm getting ERROR: cannot verify yihui.org's certificate [...] with tinytex::install_tinytex():
> tinytex::install_tinytex()
trying URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz'
trying URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz'
--2020-11-23 09:19:05-- https://yihui.org/tinytex/TinyTeX-1.tar.gz
Resolving yihui.org (yihui.org)... 167.99.129.42, 134.209.226.211
Connecting to yihui.org (yihui.org)|167.99.129.42|:443... connected.
ERROR: cannot verify yihui.org's certificate, issued by 'CN=SSL-SG1-GROBU,OU=Operations,O=Cloud Services,C=US':
Unable to locally verify the issuer's authority.
To connect to yihui.org insecurely, use `--no-check-certificate'.
Error in download.file(url, output, ..., method = method) :
'wget' call had nonzero exit status
Calls: <Anonymous> ... download_file -> <Anonymous> -> download -> download.file
In addition: Warning messages:
1: In download.file(url, output, ..., method = method) :
URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz': status was 'SSL peer certificate or SSH remote key was not OK'
2: In download.file(url, output, ..., method = method) :
URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz': status was 'SSL peer certificate or SSH remote key was not OK'
You may have to restart your system after installing TinyTeX to make sure ~/bin appears in your PATH variable (https://github.com/yihui/tinytex/issues/16).
Execution halted
I need to find a way to verify and trust the certificate chain from yihui.org, as I'm not allowed to bypass the verification with --no-check-certificate.
Thanks in advance for any hint!
Mihai
The default docker image has no certificates installed, therefore there are also no root certificates. That is what is indicated by the error message Unable to locally verify the issuer's authority. You can obtain the root certificates from the package ca-certificates (install it via apt-get).
I'm trying to make the tutorial "Chaincode for Developers" work. But at the section "Terminal 3 - Use the chaincode" I'm stuck trying to run this command
$ peer chaincode instantiate -n mycc -v 0 -c '{"Args":["a","10"]}' -C
myc
It exits with this error :
Error: Error endorsing chaincode: rpc error: code = Unknown desc =
Failed to init chaincode(handler not found for chaincode mycc:0)
I've done some research but I don't know what to do. Could somebody please help me ?
This is solved. There were three primary problems.
As Chris mentioned, the certs are expired. In the future you can easily check a certificate's validity by parsing it. For example openssl x509 -in your_cert.pem -text
The provided artifacts were not configured properly. Namely, the configtx.yaml that the configtxgen utility consumed did not have the orderer address defined correctly.
Lastly, the documented command to start the chaincode used the wrong port for the peer address. Should be 7052 not 7051.
I will push a fix for this shortly
Am Trying to build a debian package from source, it signs the package once the source builds.
Am able to build package on my desktop but same package build is failing on my VNC session which is the same desktop.
success on desktop:
----------
Now signing changes and any dsc files...
signfile <file1>.changes info#abc.com
gpg: key 9F54A1B3: secret key without public key - skipped
Successfully signed changes file
---------------------------
Error on VNC:
----------
Now signing changes and any dsc files...
signfile <file1>.changes info#abc.com
gpg: key 9F54A1B3: secret key without public key - skipped
gpg: problem with the agent - disabling agent use
debsign: gpg --no-tty --passphrase tigris error occurred! Aborting....
debuild: fatal error at line 1283:
running debsign failed
Do I need to add anything to the keyring may be. Here is the gpg key list
root#vdeore:/home/vdeore/ws/VCA# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/A3888BE1 2015-01-15
uid vdeore <info#abc.com>
sub 1024R/9965A356 2015-01-15
pub 1024R/EAE69D3A 2015-01-15
uid abc <info#abc.com>
sub 1024R/79C683AB 2015-01-15
Tried generating key on VNC, but it did not make any difference.
Any suggestions ? Appreciate the help, thanks in advance.