Bug report #22023

Ubuntu: apt-get update can no longer verify gpg key at https://qgis.org/downloads/qgis-2017.gpg.key

Added by Bruce Steedman 7 months ago. Updated 7 months ago.

Status:Open
Priority:Normal
Assignee:-
Category:Build/Install
Affected QGIS version:3.7(master) Regression?:No
Operating System:Ubuntu 18.04 Easy fix?:No
Pull Request or Patch supplied:No Resolution:
Crashes QGIS or corrupts data:No Copied to github as #:29837

Description

I have the following lines in an /etc/apt/apt.conf.d/proxy.conf file in order to route all apt traffic through a socks proxy (Tor) hosted on my machine at 127.0.0.1:9050.

Acquire::http::proxy "socks5h://127.0.0.1:9050";
Acquire::https::proxy "socks5h://127.0.0.1:9050";
Acquire::ftp::proxy "socks5h://127.0.0.1:9050";

This has caused me no problem with updating QGIS from your repository at 'https://qgis.org/debian bionic main', until today. Today when I try sudo apt-get update I get the following error:

E: Failed to fetch https://qgis.org/debian/dists/bionic/InRelease 403 Forbidden [IP: 127.0.0.1 9050]
E: The repository 'https://qgis.org/debian bionic InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

If I remove proxy.conf and avoid the socks proxy all works fine, however, I do not wish to do this.

The issue appears to caused by Cloudflare, as the domain qgis.org is behind Cloudflare servers. Further evidence of this can be seen by installing Tor locally and trying curl -x socks5h://127.0.0.1:9050 https://qgis.org/downloads/qgis-2017.gpg.key. The resulting page title is "Attention Required! | Cloudflare", the page Cloudflare uses for DDOS defense. I can only assume Cloudflare must have changed their policy towards Tor users today, as I have used a Tor proxy for apt for months and never had any problems with QGIS. I note that no other repositories I use are affected by this problem today.

Given that you are unlikely to stop using Cloudflare, can your gpg key page be exempted from Cloudflare's DDOS policies somehow in your Cloudflare settings? I would expect this to quickly resolve the issue.

Many thanks

Bruce Steedman

History

#1 Updated by Bruce Steedman 7 months ago

I note that no other repositories I use are NOT affected by this problem today.

#2 Updated by Bruce Steedman 7 months ago

The problem seems intermittent and is resolved as of now (the above curl command delivers the GPG key too). It appears to be at the whim of Cloudflare's policy.

Also available in: Atom PDF