Ubuntu: install latest git client from PPA to fix ‘unsafe repository’ errors

Since the announcement of CVE-2022-24765, newer git clients from the Ubuntu security and archive package repositories may throw errors about “unsafe repository … is owned by someone else” if directories are not owned by your personal user id.

First, try to resolve the issue by running the command suggested in the error message.

# attempt suggested resolution
git config --global --add safe.directory /your/git/repo

# test if issue is resolved
git status

If this does not resolve the problem, then you need to upgrade to the latest git client, which is available via an Ubuntu PPA.

# show current version
$ git --version
git version 2.17.1

# install latest git client from ppa
sudo apt-add-repository ppa:git-core/ppa
sudo apt-get update
sudo apt-get install git -y

# show new version from PPA
$ git --version
git version 2.36.0

Then you can add the local directory to your ~/.gitconfig

git config --global --add safe.directory /your/git/repo

# test if issue is resolved
git status

Continue reading if you have issues with apt-add-repository hanging or are using a proxy to access the public internet.

Issue with apt-add-repository downloading key

If the apt-add-repository command hangs, it most likely has a problem downloading the signing key for the PPA.

From the PPA page, we can get the signing key fingerprint and use it to do a manual fetch.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys E1DD270288B4E6030699E45FA1715D88E1DF1F24

Then rerun the apt-add-repository command.

Using a web proxy for public internet access

The ‘apt-*’ utilities unfortunately do not honor the same proxy values you might put in ‘/etc/apt/apt.conf.d/00proxy’ and are used by apt.

If you are using a proxy for public internet access then you need to add the ‘keyserver-options’ flag to the apt-key command like below.

sudo apt-key adv --keyserver-options http-proxy=http://mywebproxy:port --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys E1DD270288B4E6030699E45FA1715D88E1DF1F24

And in order for add-apt-repository to use the proxy, you need to export the proxy variables and make sure you “sudo -E” so that the environment variables are preserved when making the call.

export http_proxy=http://mywebproxy:port
export https_proxy=http://mywebproxy:port
sudo -E add-apt-repository ppa:git-core/ppa

Checking source of git package

The apt ‘policy’ command will show you which git package is currently installed, which Ubuntu repository is belongs to, and what candidate installations you have available.

Below is the output from a standard Ubuntu bionic installation, after we have added the git-core PPA repository (making 2.36 available as candidate) but before we have installed it (2.17 still being used).

$ sudo apt policy git
git:
  Installed: 1:2.17.1-1ubuntu0.10
  Candidate: 1:2.36.0-0ppa1~ubuntu18.04.1
  Version table:
     1:2.36.0-0ppa1~ubuntu18.04.1 500
        500 http://ppa.launchpad.net/git-core/ppa/ubuntu bionic/main amd64 Packages
 *** 1:2.17.1-1ubuntu0.10 500
        500 http://us-east1.gce.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:2.17.0-1ubuntu1 500
        500 http://us-east1.gce.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

 

REFERENCES

github blog, CVE-2022-24765 security vulnerability announced

stackoverflow, install git client from ppa

git client ppa

unsafe repository reports: 1, 2, 3, 4,