mint7, packages cannot be authenticated!

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read this

mint7, packages cannot be authenticated!

Postby itsucks on Thu May 28, 2009 7:17 am

yestaday install mint7 on my hd successed,
(mint7 iso down from http://ftp.heanet.ie/pub/linuxmint.com/ ... Mint-7.iso)
$sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/0C5A2783 2006-11-23
uid Medibuntu Packaging Team <admin@lists.medibuntu.org>
uid The Medibuntu Team <medibuntu@sos-sts.com>
sub 2048g/16C7105A 2006-11-23

pub 1024D/0FF405B2 2009-04-29
uid Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sub 2048g/0F346519 2009-04-29

pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12

$sudo apt-get update
$apt-cache policy ssmtp
ssmtp:
Installed: (none)
Candidate: 2.62-2.2ubuntu1
Version table:
2.62-2.2ubuntu1 0
500 http://archive.ubuntu.com jaunty/universe Packages

$sudo apt-get install ssmtp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ssmtp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 50.6kB of archives.
After this operation, 8192B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
ssmtp
Authentication warning overridden.
.....
itsucks
Level 1
Level 1
 
Posts: 1
Joined: Sat Mar 14, 2009 12:25 pm
Location: beijing,china

Linux Mint is funded by ads and donations.
 

Re: mint7, packages cannot be authenticated!

Postby merlwiz79 on Thu May 28, 2009 8:17 pm

This package comes from Ubuntu's repo not ours.
User avatar
merlwiz79
Level 11
Level 11
 
Posts: 3637
Joined: Wed Apr 04, 2007 1:50 pm
Location: Here again :)

Re: mint7, packages cannot be authenticated!

Postby jvoegele on Sun May 31, 2009 8:31 am

merlwiz79: Since most Mint packages do come from Ubuntu's repo, it would be nice to have a solution for this.

I have just done a fresh install of Linux Mint 7 "Gloria", and the first thing that I tried to do was install some packages using Synaptic. (These are some lower-level packages that do not show up in the mintInstall application.) However, any packages that I try to install from the Ubuntu repositories (which is most of them) causes a warning:

You are about to install software that can't be authenticated! Doing this could allow a malicious individual to damage or take control of your system.


What do I need to do to make sure packages from the Ubuntu repositories are authenticated?

Thanks!
jvoegele
Level 1
Level 1
 
Posts: 3
Joined: Sun May 31, 2009 8:24 am

Re: mint7, packages cannot be authenticated!

Postby exploder on Sun May 31, 2009 9:04 am

What do I need to do to make sure packages from the Ubuntu repositories are authenticated?


If you have not changed your /etc/apt/sources.list you do not have anything to worry about.

This: (You are about to install software that can't be authenticated!) used to show up when a new package came from our own repos. I think that the way things are set up now protects the Mint specific parts of the system.
exploder
Level 15
Level 15
 
Posts: 5893
Joined: Tue Feb 13, 2007 10:50 am
Location: HartfordCity, Indiana USA

Re: mint7, packages cannot be authenticated!

Postby jvoegele on Sun May 31, 2009 12:27 pm

If you have not changed your /etc/apt/sources.list you do not have anything to worry about.


Do you mean that if I have not changed my sources.list (I haven't) that I should not be receiving this warning message, or that I should expect to see this warning message but I can safely ignore it?

If the former, well I am seeing the warning. :D

If the latter, I guess I'd prefer not to see this message as most of the packages that I would install come from the Ubuntu repositories, and I'd like to not feel nervous every time I do so.

Thanks again.
jvoegele
Level 1
Level 1
 
Posts: 3
Joined: Sun May 31, 2009 8:24 am

Re: mint7, packages cannot be authenticated!

Postby Carl on Sun May 31, 2009 5:12 pm

jvoegele wrote:
If you have not changed your /etc/apt/sources.list you do not have anything to worry about.


Do you mean that if I have not changed my sources.list (I haven't) that I should not be receiving this warning message, or that I should expect to see this warning message but I can safely ignore it?

If the former, well I am seeing the warning. :D

If the latter, I guess I'd prefer not to see this message as most of the packages that I would install come from the Ubuntu repositories, and I'd like to not feel nervous every time I do so.

Thanks again.


No he's saying to ignore it as it's all perfectly normal :D
[AMD Sempron 145 2.8GHz + Unlocked 2nd Core|ATI Radeon™ HD3000 Graphics|4GB DDR3|Biostar A780L3L]
Image
User avatar
Carl
Level 5
Level 5
 
Posts: 667
Joined: Wed Apr 15, 2009 5:20 pm
Location: West Sussex, UK

Re: mint7, packages cannot be authenticated!

Postby jvoegele on Mon Jun 01, 2009 7:17 am

Carl wrote:No he's saying to ignore it as it's all perfectly normal :D


I mean no offense, but am I the only one that finds this rather...unsatisfying? Perhaps I am unusual in that many of the packages I need to install come from the Ubuntu repositories and must be installed with Synaptic (or apt-get), but it seems to me something as fundamental as installing Ubuntu packages should not come with scary warning.
jvoegele
Level 1
Level 1
 
Posts: 3
Joined: Sun May 31, 2009 8:24 am

Re: mint7, packages cannot be authenticated!

Postby exploder on Mon Jun 01, 2009 7:44 am

It only means that Mint packages have priority so your system has less chance of breakage. The base system is built from Ubuntu. You make the decisions as to the safety of upgrading Ubuntu packages, they are level 3 updates. A good example would be a kernel update, it should be fine but there is a risk involved. Mint packages used to have this warning and we knew that they were fine. The way things are set up now, you actually get less warning messages and you control the level 3 updates using your own judgment.
exploder
Level 15
Level 15
 
Posts: 5893
Joined: Tue Feb 13, 2007 10:50 am
Location: HartfordCity, Indiana USA

Re: mint7, packages cannot be authenticated!

Postby dash on Fri Jun 05, 2009 12:28 pm

I tried disabling all the other repositories except the mint repo. "deb http://packages.linuxmint.com/ gloria main upstream import" is the only uncommented line in sources.lists. Then I did apt-get update and then:

Code: Select all
$ sudo apt-cache policy xchat-gnome-common
xchat-gnome-common:
  Installed: (none)
  Candidate: 1:0.26.1-1mint1-0ubuntu1
  Version table:
     1:0.26.1-1mint1-0ubuntu1 0
        700 http://packages.linuxmint.com gloria/upstream Packages


Code: Select all
$ sudo apt-get install xchat-gnome-common -d
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  xchat-gnome-common
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1816kB of archives.
After this operation, 5738kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  xchat-gnome-common
Authentication warning overridden.
Get:1 http://packages.linuxmint.com gloria/upstream xchat-gnome-common 1:0.26.1-1mint1-0ubuntu1 [1816kB]
Download complete and in download only mode

So even with all repos except the Mint repo disabled, the authentication warning is still there. I even tried deleting all the keys except the Mint gpg key, then did apt-get clean, apt-get update, and apt-get install xchat-gnome-common -d. Same result. Also, I read this this thread: viewtopic.php?p=150760#p150820 that Mint 7 packages are now signed. If they are signed, then it seems like I should not be getting this error right now.

If this is a result of privileging Mint repos over the Ubuntu repos, why does this problem happen after disabling everything except the Mint repo?
dash
Level 1
Level 1
 
Posts: 4
Joined: Fri Jun 05, 2009 3:32 am

Re: mint7, packages cannot be authenticated!

Postby jkorkean on Sat Jun 06, 2009 8:16 am

It's frustrating for new users to see such warning messages. :? Telling everyone "It's not a problem" isn't a way to solve this.
jkorkean
Level 1
Level 1
 
Posts: 1
Joined: Sat Jun 06, 2009 7:39 am

Re: mint7, packages cannot be authenticated!

Postby Carl on Sat Jun 06, 2009 9:01 am

jkorkean wrote:It's frustrating for new users to see such warning messages. :? Telling everyone "It's not a problem" isn't a way to solve this.


it's warning it's meant to be there!, you'd be more annoyed if it wasn't there and then you mucked up your system surely? :?
[AMD Sempron 145 2.8GHz + Unlocked 2nd Core|ATI Radeon™ HD3000 Graphics|4GB DDR3|Biostar A780L3L]
Image
User avatar
Carl
Level 5
Level 5
 
Posts: 667
Joined: Wed Apr 15, 2009 5:20 pm
Location: West Sussex, UK

Re: mint7, packages cannot be authenticated!

Postby globetrotterdk on Sat Jun 06, 2009 11:57 am

Carl wrote:
jkorkean wrote:It's frustrating for new users to see such warning messages. :? Telling everyone "It's not a problem" isn't a way to solve this.


it's warning it's meant to be there!, you'd be more annoyed if it wasn't there and then you mucked up your system surely? :?


Sorry, but both the problem itself and the answer are counter intuitive. A warning, particularly with this language is to prevent someone from doing something that is endangering the security of the system. Writing that this is normal behavior implies that it is OK to endanger the security of your system.

This message is also unhelpful for users that have added other repositories, as it is unclear which repositories you should consider this abnormal behavior (insecure) and which repositories you should consider this normal (secure) behavior.
Acer Aspire One 725.
Military justice is to justice what military music is to music. - Groucho Marx
globetrotterdk
Level 3
Level 3
 
Posts: 170
Joined: Tue Dec 16, 2008 12:19 pm
Location: Copenhagen

Re: mint7, packages cannot be authenticated!

Postby neal on Tue Aug 18, 2009 3:49 pm

Popping up authentication warnings as a matter of course isn't the best system design. It lulls users into ignoring the errors and at worst will allow trojaned packages to be installed. This is really a Debian/Ubuntu issue, not just a Mint problem.

If the warning is occuring because packages haven't been signed at all, perhaps a better alert would be something like:

"These packages are not signed. Do you trust this source?"

That would leave the stronger warning for packages that actually fail authentication (i.e. they're signed with an invalid key).
neal
Level 1
Level 1
 
Posts: 4
Joined: Thu Jan 01, 2009 6:50 am

Re: mint7, packages cannot be authenticated!

Postby minter20003000 on Fri Aug 21, 2009 9:23 am

Signed repositories are necessary to bypass hacker attempts to inject code/trojans to the downloads.
Our current Internet is very dirty, you must help your minters.
Please take privacy and security very seriously.

Packages authentication is not an option, it's a necessity ASAP.

Thank you guys for a nice Mint distro, still awaiting for some "definitive" release, tired of constantly updating-upgrade, I would like to rest and start to learn about my system.
(Any netbook version in agenda?)
minter20003000
Level 1
Level 1
 
Posts: 1
Joined: Fri Aug 21, 2009 8:58 am

Re: mint7, packages cannot be authenticated!

Postby endontoddy on Sat Aug 29, 2009 4:47 am

I have to agree with this.

'It can safely be ignored' is not good enough. Especially if someone is, (as many do) using repositories other than the core Ubuntu/Mint ones. How are we supposed to know if the warning is valid or if it only appeared because Mint doesn't authenticate its packages?
endontoddy
Level 1
Level 1
 
Posts: 8
Joined: Sat Aug 22, 2009 7:23 pm

Re: mint7, packages cannot be authenticated!

Postby thomasmc on Tue Jan 19, 2010 6:13 pm

neal wrote:Popping up authentication warnings as a matter of course isn't the best system design. It lulls users into ignoring the errors and at worst will allow trojaned packages to be installed. This is really a Debian/Ubuntu issue, not just a Mint problem.


I have tried a number of Ubuntu based distros, and Mint is the ONLY one with this problem.
The fact that they are so FLIPPANT about user security really infuriates me, and I will probably uninstall Mint as a result.
Either you care about security, or you don't, and obviously Mint does NOT.
thomasmc
Level 1
Level 1
 
Posts: 37
Joined: Tue Jan 19, 2010 5:43 pm

Re: mint7, packages cannot be authenticated!

Postby artisan002 on Thu Feb 04, 2010 6:28 am

As I see it, this "warning" is the least of my concerns... For one, how much did any of us pay for this distro? Secondly, how many of us are proficient enough to create a distro of our own that is markedly different from it's parent? Yes the alerts are inconvenient. Yes it makes you click to close an extra window. But, I also don't see how a rational mind could consider it a deal breaker. it's not as though the alert is stopping anything from installing or outfitting your computer with viruses/malware. It's just an indicator that Mint doesn't authenticate as being Ubuntu -- because it's not. And that's not something anyone other than the Ubuntu crew can stop. Accordingly, any Ubuntu repository will throw back a quick alert about this. It's not unlike Windows warnings when you try to install something and you're warned that whatever you're installing might be bad. You're still safer this way than your overall odds with Windows.

Furthermore, I haven't seen anything tangible that would indicate that the Mint crew is actually so lax on security. Again, I would say you're odds of safety are better here than with Windows.

In the end, if something like this authentication alert issue is that great a problem, I'm quite certain Linux will present you with other quirks that will draw the same ire. I'd bet it may already have. Linux, by and large, is a free operating system... How often does that happen? And it doesn't just stop at handing you an OS. It provides you with additional software to boot! And it never demands anything in return. However, it lacks a customer service or traditional tech support business model on the side. That's just part of the deal. I've personally had fewer issues with this particular distro than any other one I've tried. And I just don't see how this should have devolved into such a bizarre and unresolvable argument.
artisan002
Level 1
Level 1
 
Posts: 2
Joined: Mon Aug 10, 2009 9:19 pm

Re: mint7, packages cannot be authenticated!

Postby psen on Mon Mar 22, 2010 8:15 pm

Me too with this "problem" - I knew that the packages were coming from the official repo so I just blasted my way through it...

But I think it would be handy if the warnings matched the settings in the update manager e.g. "You are installing a level 1, 2, 3... package" with a big red " WHAT ARE YOU DOING, HAL? :twisted:" for totally unsigned stuff or "I.installed.this.ppm.myself.from.totally.legit.warez.net"...
psen
Level 1
Level 1
 
Posts: 1
Joined: Sat Feb 20, 2010 4:50 pm

Re: mint7, packages cannot be authenticated!

Postby garaden on Fri Jul 02, 2010 7:24 pm

I have to disagree with artisan's argument. First of all, since Ubuntu and its repos are under the GPL, they can't restrict other distros from accessing them in a secure fashion. Second, one of the effects of the GPL is competition combined with collaboration, so any distro at some kind of disadvantage like this authentication problem can and should be pressured into fixing it. I'd really like to see this get fixed, because authentication for executables is close to a deal-breaker for me.
garaden
Level 1
Level 1
 
Posts: 1
Joined: Fri Jul 02, 2010 7:04 pm

Re: mint7, packages cannot be authenticated!

Postby johngreth on Thu Jul 08, 2010 7:00 pm

I think that rather than arguing about how bad the problem is, we should just find a solution. There is a potential security hole. Whether or not it can be exploited is unknown. Just because it's still significantly more secure than windows doesn't mean that we as a community should accept it as good enough. I agree that if you aren't going to do anything about it you can't complain about it. Pickers can't be choosers. However, projects like Mint exist and are as good as they are because people ask for things to be fixed. I personally would like this to be fixed. I'll probably spend some time working on it and if I find a solution, I'll post it here.
johngreth
Level 1
Level 1
 
Posts: 1
Joined: Thu Jul 08, 2010 6:52 pm

Linux Mint is funded by ads and donations.
 
Next

Return to Installation & Boot

Who is online

Users browsing this forum: No registered users and 12 guests