needs update for new archive key

Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 23:07:37 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: needs update for new archive key

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: apt
Version: 0.6.43
Severity: serious
Tags: d-i

apt needs to be updated for this year's archive key which is apparently
the one at http://ftp-master.debian.org/ziyi_key_2006.asc

I'm tagging this bug d-i because not having the key up-to-date in apt
breaks new installations since apt doesn't work, and will begin breaking
d-i even worse once the old archive key expires.

FWIW, I think that the archive key should be split out into a new
package that can be updated more easily than apt, but for now a quick
fix is called for.

--=20
see shy jo

--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDu0oJd8HHehbQuO8RAuV6AJ4lA/v/GccLsMk7iS8Wfb/VtByhTQCfSYfl
zq9mPnU2WSmWEzdRVF0nY0c=
=5xsJ
-----END PGP SIGNATURE-----

--FCuugMFkClbJLl1L--

Marking as duplicate based on debbugs merge (345823,345891)

This bug has been marked as a duplicate of bug 27959.

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:29 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: merging 345823 345891

# Automatically generated email from bts, devscripts version 2.9.10
merge 345823 345891

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 14:59:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 346002 is serious, merging 346002 345891

# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891

Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 21:17:26 +0000
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks

On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://ftp.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.

Regards,

Adam

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:27:40 +0100
From: Michael Vogt <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Debian Bug Tracking System <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

On Tue, Jan 03, 2006 at 11:07:37PM -0500, Joey Hess wrote:
> Package: apt
> Version: 0.6.43
> Severity: serious
> Tags: d-i

Thanks for your bugreport and sorry for my late reply.

> apt needs to be updated for this year's archive key which is apparently
> the one at http://ftp-master.debian.org/ziyi_key_2006.asc

The new key is added to my baz repository and it will be part of the
next (very soon) upload.

> I'm tagging this bug d-i because not having the key up-to-date in apt
> breaks new installations since apt doesn't work, and will begin breaking
> d-i even worse once the old archive key expires.

The updated default key in apt means that new installs will be fine,
but we need a better system for upgrades (see below).

> FWIW, I think that the archive key should be split out into a new
> package that can be updated more easily than apt, but for now a quick
> fix is called for.

I think the same. My proposal is to create a new debain-server-keyring
[1] package that conatins:
/usr/share/keyrings/debian-archive-keyring.gpg
/usr/share/keyrings/debian-archive-removed-keys.gpg

and calls "apt-key update" in it's postinst. apt-key update will add
new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove
keys in debian-archive-removed-keys.gpg via "apt-key del".

This way installing/updating the package will ensure that new keys are
added as required and obsolete keys can be removed. Because the keys
are part of a package and the package is covered with the trust-chain
there is no trust-chain violation.

If people are happy with my proposal I'll prepare and upload such a
package.

Cheers,
 Michael

[1] I think we should create a new package and not use debian-keyring
because debian-keyring is pretty big.
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 18:54:32 -0500
From: Joey Hess <email address hidden>
To: Michael Vogt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thanks for following up on this..

Michael Vogt wrote:
> I think the same. My proposal is to create a new debain-server-keyring
> [1] package that conatins:
> /usr/share/keyrings/debian-archive-keyring.gpg
> /usr/share/keyrings/debian-archive-removed-keys.gpg
>=20
> and calls "apt-key update" in it's postinst. apt-key update will add
> new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove
> keys in debian-archive-removed-keys.gpg via "apt-key del".
>=20
> This way installing/updating the package will ensure that new keys are
> added as required and obsolete keys can be removed. Because the keys
> are part of a package and the package is covered with the trust-chain
> there is no trust-chain violation.
>=20
> If people are happy with my proposal I'll prepare and upload such a
> package.=20

Yes, that sounds right to me.

The installer also needs a copy of the keyring. Currently we copy this
=66rom the keyring shipped in apt at package build time, but it would be
much nicer if there were a udeb that only contained the keyring. Once
you create this package I can send a patch to also make it produce an
appropriate udeb.

--=20
see shy jo

--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvbG2d8HHehbQuO8RAsMNAKC7WCRRwDfshr+ApQtxKx0KoBkckACffRIZ
bwX+TyE5/O3RREeTFjBhaH4=
=Adsk
-----END PGP SIGNATURE-----

--PNTmBPCT7hxwcZjr--

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 02:59:21 +0100
From: Adeodato =?utf-8?B?U2ltw7M=?= <email address hidden>
To: Michael Vogt <email address hidden>, <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

* Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:

> but we need a better system for upgrades (see below).

  Thanks for proposing this.

> I think the same. My proposal is to create a new debain-server-keyring

  Can I suggest that it's called debian-archive-keyring (or -keys)
  instead? "debian-server" sounds like "a debian server", while
  "debian-archive" sounds more (at least to me) like "the Debian
  Archive".

  Thanks,

--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org

Man: Wow, that woman looks exactly the way Nina is going to look in
about ten years... Oh shit, it is Nina. Don't tell her what I said, okay?
                -- http://www.overheardinnewyork.com/archives/003086.html

Message-Id: <email address hidden>
Date: Fri, 6 Jan 2006 17:21:04 +1100
From: Andrew Vaughan <email address hidden>
To: <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

Hi

Further things to consider. Apologies if I these have already been handled.

1. Dec 2006 Etch releases. Jill downloads and burns etch install cd.
   Jan 2007, old archive key expires, new archive key issued.
   Jan 2008, old archive key expires, new archive key issued.
   Mar 2008, Jill tries to install from the cd created in Dec 2006.

   Will that work?

   Will that work if all debian-archive-keys were revoked/replaced in
   mid 2007?

2. security.d.o will (presumably) also be signed.
   Will that be using the same key?

   Using separate keys might make updating after a key compromise simpler.
   (You could use the not-compromised key to sign both package lists
   temporarily).

Andrew

PS I also prefer debian-archive-keyring/debian-archive-keys.

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:35:22 -0800
From: Steve Langasek <email address hidden>
To: Andrew Vaughan <email address hidden>,
 <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

--/YnR2r17TIEndSCI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 06, 2006 at 05:21:04PM +1100, Andrew Vaughan wrote:
> Hi

> Further things to consider. Apologies if I these have already been handl=
ed.

> 1. Dec 2006 Etch releases. Jill downloads and burns etch install cd.
> Jan 2007, old archive key expires, new archive key issued.
> Jan 2008, old archive key expires, new archive key issued.
> Mar 2008, Jill tries to install from the cd created in Dec 2006. =20

> Will that work?

> Will that work if all debian-archive-keys were revoked/replaced in
> mid 2007?

The ISO images are generated on a different machine from ftp-master, with
their own Release files which must be signed by a separate key. The policy
for those keys (and for keys used for signing stable in general?) probably
needs to be separate from that used on the ftp archive.

Anyway, if by "install" you mean "fresh install", rather than just "install
some packages from this CD", the keys contained *on* the CD are ultimately
trusted (as is the rest of the software on the CD at time of install,
basically) at least until the point when you add some external apt source
that pulls revocation certificates from the network. So doing an install
=66rom the CD should work fine, as long as the CD-signing key has no
expiration date or one sufficiently far in the future to cover our
worst-case needs for etch, or we provide some override in the CD to allow
installing with an ancient signature. Either way, I think ISOs pose much
less of a problem for us than ftp apt sources for stable.

> 2. security.d.o will (presumably) also be signed.=20
> Will that be using the same key?

I don't see any good reason to use the same key, given that they're on
separate systems.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--/YnR2r17TIEndSCI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDvh26KN6ufymYLloRAoJYAJ44sWOIfJOC71nSfykEuU7Kviy+8QCfd9fT
3cVcQW94Fqig41r89wkCH20=
=DotZ
-----END PGP SIGNATURE-----

--/YnR2r17TIEndSCI--

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 06:44:05 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

> I think the same. My proposal is to create a new debain-server-keyring
> [1] package that conatins:
> /usr/share/keyrings/debian-archive-keyring.gpg
> /usr/share/keyrings/debian-archive-removed-keys.gpg

I add my voice here: this seems fair by me (with the name change
suggested by dato).

However, this raises an interesting question: who will maintain this
package?

My feeling is that it should be in the hands of the ftpmaster
team. This would give the guarantee of reactivity when updates are due
(hopefully once a year).

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 09:56:22 -0500
From: Joey Hess <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Cc: Andrew Vaughan <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

--8WA4ILJSyYAmUzbY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Steve Langasek wrote:
> The ISO images are generated on a different machine from ftp-master, with
> their own Release files which must be signed by a separate key. The poli=
cy
> for those keys (and for keys used for signing stable in general?) probably
> needs to be separate from that used on the ftp archive.

The CDs arn't signed at all right now, but for all CDs except for full
CDs (netinst, businesscard), if the archive key built into the CD is
expired, the install will probably fail.

--=20
see shy jo

--8WA4ILJSyYAmUzbY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvoUVd8HHehbQuO8RAlSGAKDCT4fbHQG3ZdVv1KeNxaRTfVH5EgCgsn6T
7d8phzEMcjTmIUJyKblbQKc=
=nQr+
-----END PGP SIGNATURE-----

--8WA4ILJSyYAmUzbY--

Message-ID: <email address hidden>
Date: Tue, 10 Jan 2006 10:06:31 +0100
From: Michael Vogt <email address hidden>
To: <email address hidden>,
 Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key

On Fri, Jan 06, 2006 at 02:59:21AM +0100, Adeodato Sim�ote:
> * Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:
> > but we need a better system for upgrades (see below).
>
> Thanks for proposing this.
>
> > I think the same. My proposal is to create a new debain-server-keyring
>
> Can I suggest that it's called debian-archive-keyring (or -keys)
> instead? "debian-server" sounds like "a debian server", while
> "debian-archive" sounds more (at least to me) like "the Debian
> Archive".

Thanks everyone for their opinion.

I uploaded a new debian-archive-keyring package a couple of minutes
ago that will work with apt-key update (and calls it automatically
after it was installed). It will also build a udeb (as suggested by
Joey Hess, thanks to Colin Watson).

About maintainership of this package, I'm happy to maintain it for
now, but I'm equally happy to give it away to the ftp-massters.

This package solves the problem for scheduled key rollovers (where we
sign with both new and old key for a certain time), but it uses the
old key to verify the package. This means that it's not suitable
against a key compromise of the archive key. How to deal with this
scenario needs to be discussed further.

Cheers,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Message-ID: <010301c616ab$31bdf870$eb00010a@andromeda>
Date: Wed, 11 Jan 2006 12:33:15 -0000
From: "Adam D. Barratt" <email address hidden>
To: "jetxee" <email address hidden>,
 <email address hidden>
Subject: Re: Bug#347540: GPG error on update: public key not available

reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks

On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:

> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.it.debian.org testing Release: The following
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.

That's because you're looking in the wrong place. :-)

This is http://bugs.debian.org/345891 against apt and those merged with it.

Merging this report also.

Regards,

Adam