-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need better sig-fail diagnostics by default. "warning: Signature verification failed" is insufficient. #2462
Comments
Interesting, I should likely increase the diagnostics on that -- we're currently opportunistically checking the GPG signature as part of the install process, I wonder if you managed to catch it before it was updated or somesuch. At this point, there's nothing you can do to make it easier for me to tell what happened, so I'm going to repurpose this issue. |
This ought to be straightforward to do, (though not easy to decide what to report). I'd be happy to chat to someone about resolving it. |
My guess is if you're running |
I honestly don't remember exactly what the circumstances were when I ran into this issue (I forgot that I even created this issue!), but based on the fact that I reported it as occurring on Arch Linux, I'm fairly certain it was not in a VM, as I boot Arch natively on all my personal machines and haven't ever used it in a VM. I don't remember ever having run into this again since then, so it could have been an OS bug or even a hardware issue. |
I just got this now:
|
Same:
Seems weird to me that signature verification failures are just a warning? UPDATE Beta channel also fails verification:
I'm not running in a VM |
OK. BTW is your system time and date correct? |
I got same, and...
|
Same here, runing Ubuntu 22.04 with latest updates applied (no VM):
|
Sorry, for me the error got fixed once I made sure my system date/time was correct. Not sure what is happening for you. Try making sure your system packages in your distribution are upto date also... perhaps that might help? P.S. I just tried rustup myself and I'm getting the same problem also. My earlier response in this comment was related to an older signature verification problem. See at the end of the ticket for a more useful response related to the issues being faced today. |
I just updated my Debian testing to make sure, even rebooted, and checked time (all good), and still experiencing same problem. |
Consistently getting this error currently on windows with correct time/date. |
See #3185 (and rust-lang/simpleinfra#218) for failures that started occuring today. |
I'm also seeing this on macOS. My clock seems fine, although that's not based on my actually doing anything to verify that.
|
Try updating your
See #3186 for the specific PR that fixes this current issue. |
The rustup invocation @rjwalsh posted has already updated rustup, so it should be fixed for future rustup invocations.
|
I also get this now consistently on Fedora 37. Ran self update as well and my date/time is accurate |
Did you install rustup using the distro package manager? If so self updates are disabled and you need to wait for fedora to push an update. |
I did not, ran the script from https://rustup.rs/
…On Mon, Feb 6, 2023 at 2:13 AM bjorn3 ***@***.***> wrote:
Did you install rustup using the distro package manager? If so self
updates are disabled and you need to wait for fedora to push an update.
—
Reply to this email directly, view it on GitHub
<#2462 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABER2XA6PUM2VRLIFJWXE5LWWC6E3ANCNFSM4QELVWEA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
What is the full output of
the first time and
the second time. |
I don't have the first run but running it now I get this:
$ rustup self update
info: checking for self-updates
rustup unchanged - 1.25.2
…On Mon, Feb 6, 2023 at 9:45 AM bjorn3 ***@***.***> wrote:
What is the full output of rustup self update? For me it was
info: checking for self-updates
info: downloading self-update
rustup updated - 1.25.2 (from 1.25.1)
the first time and
info: checking for self-updates
rustup unchanged - 1.25.2
the second time.
—
Reply to this email directly, view it on GitHub
<#2462 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABER2XBV3FUH6Q6YS36PM6DWWETA7ANCNFSM4QELVWEA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
1.25.2 should be the fixed version. Weird. |
Sorry, i think I was unclear. I ran the self update after first doing the
update that showed the warnings.
I just re-ran update with this version and I see no warnings now
…On Mon, Feb 6, 2023 at 1:02 PM bjorn3 ***@***.***> wrote:
1.25.2 should be the fixed version. Weird.
—
Reply to this email directly, view it on GitHub
<#2462 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABER2XHIX5EGOSUIIFBTBXDWWFKDTANCNFSM4QELVWEA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
And again: "Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-stable.toml". It was from 1.25.1, but I am reporting it here, because it still was a warning. Establishing the signature to be invalid and then proceeding anyway can not be described in a politically correct way, so I'll spare. Just note that docs saying straight that "We will happily install on your machine whatever we or someone else meantime put at the 'https://static.rust-lang.org/dist/" would be better security-wise than checking the signature then continue regardless of this check result. |
This issue is still waiting on somebody from the Rust org to regenerate the self-signatures with sha256 or sha512. #3185, rust-lang/simpleinfra#218 The following two signatures need to be regenerated:
|
When we verify the signature, we 'correctly' simply report success/failure, however it may be of value to report more detail by default so that if users encounter the issue seen by the OP, we can more easily diagnose the problem as often these things are transient and hard to reproduce.
ORIGINAL ISSUE
Problem
I just ran
rustup update
locally, and I received a warning that "signature verification failed" when downloading what appears to be the manifest for the nightly channel versions. This is the warning I received:And here is the entire output from running
rustup update
:Steps
I unfortunately have not able to reproduce this bug. Running
rustup update
again did not give the same warning, nor did removing the nightly toolchain and installing from scratch again. I also tried moving my~/.rustup
directory to somewhere else and runningrustup instlal nightly
again, but I didn't get the warning that time either. I'm a little hesitant to completely uninstall rustup and install everything from scratch again, so I figured I would wait until I heard back on this issue to see if that would be useful in some way.Notes
This occurred on an Arch Linux box with
rustup
installed through the package manager.Output of
rustup --version
:Output of
rustup show
:The text was updated successfully, but these errors were encountered: