apt: Key error at year turnover resembles security problem, and may represent one

Automatically imported from Debian bug report #345823 http://bugs.debian.org/345823

Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 10:58:28 -0800
From: Joshua Rodman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt: Key error at year turnover resembles security problem, and may represent one

Package: apt
Version: 0.6.43
Severity: normal

Since the year has turned over, apt-get update now produces the error:
[...]
Reading package lists... Done
W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Because the release key is not provided via an automated mechanism.
Leaveing aside that the means for getting a new key are not documented
in /usr/share/doc/apt or apt-doc, there is the additional issue that
undocumented, this looks like the debian servers may be compromised.

Secondarily, the recipes I can find for updating to the new release key
do not make clear whether the new release key is verifiable in any way.
I am worried that debian may be violating its trust model once a year.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
APT::Cache-Limit "10000000";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi";
Acquire "";
Acquire::http "";
Acquire::http::Pipeline-Depth "3";

-- /etc/apt/preferences --

Package: *
Pin: release a=testing
Pin-Priority: 900

Package: *
Pin: release a=etch
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10

-- /etc/apt/sources.list --

deb file:/var/cache/apt-build/repository apt-build main
# Testing sources
deb http://http.us.debian.org/debian/ testing main contrib non-free
# sonic mirrors binaries (slowly!!!)
#deb ftp://ftp.sonic.net/mirrors/debian/ testing main contrib non-free
deb-src http://http.us.debian.org/debian/ testing main contrib non-free

#deb http://non-us.debian.org/...

Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 03:01:35 +0100
From: Jeroen van Wolffelaar <email address hidden>
To: Joshua Rodman <email address hidden>, <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one

On Tue, Jan 03, 2006 at 10:58:28AM -0800, Joshua Rodman wrote:
> Since the year has turned over, apt-get update now produces the error:
> [...]
> Reading package lists... Done
> W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
> W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Fwiw, the Release.gpg file contains two signatures now, both one with the
2005 key and the 2006 key, to have a short transition period. The archive
still validates with the 2005 key, which isn't expired yet, and I think APT
should not spread too worrysome errors at users while the archive can still
be verified. Only when the 2005 expires and the user still hasn't imported
the 2006 key (some mechanism needs to be implemented for that for it to
happen cleanly and in a user-frienly way) apt should really bail out on the
user.

--Jeroen

--
Jeroen van Wolffelaar
<email address hidden>
http://jeroen.A-Eskwadraat.nl

Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 22:50:41 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: apt multiple sig behavior

--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftp=
<email address hidden>>"
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftp=
<email address hidden>>"

now if I remove the old key:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftp=
<email address hidden>>"
zsh: exit 2 gpgv --keyring ~/trusted.gpg Release.gpg Release

So multiply signed Release files will also break d-i, which uses gpg
as above.

debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.

I'm working on making d-i use the same technique as debootstrap now.

--=20
see shy jo

--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDu0YQd8HHehbQuO8RAo+5AJ917WdAS7cIBbCb3f2lewrRswx88ACg4Znk
oUKFjvzmPENX0+FOFq8fU4o=
=bCWN
-----END PGP SIGNATURE-----

--jRHKVT23PllUwdXP--

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:46:56 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: severity of 345823 is serious

# Automatically generated email from bts, devscripts version 2.9.10
severity 345823 serious

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:16 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: tagging 345823

# Automatically generated email from bts, devscripts version 2.9.10
tags 345823 d-i

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:29 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: merging 345823 345891

# Automatically generated email from bts, devscripts version 2.9.10
merge 345823 345891

*** Bug 27955 has been marked as a duplicate of this bug. ***

Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 02:41:30 -0800
From: Joshua Rodman <email address hidden>
To: Jeroen van Wolffelaar <email address hidden>
Cc: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one

On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> Fwiw, the Release.gpg file contains two signatures now, both one with the
> 2005 key and the 2006 key, to have a short transition period. The archive
> still validates with the 2005 key, which isn't expired yet, and I think APT
> should not spread too worrysome errors at users while the archive can still
> be verified.

Not to contradict you, since my understanding of these issues is
strongly limited, but apt seems to think that it cannot validate the
archive?

Running: su -c "apt-get upgrade"
[...]
The following packages will be upgraded:
  liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip
[...]
WARNING: The following packages cannot be authenticated!
  libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors

If understand that the whole release is what is signed, and that then
the urls in the release are therefore trusted (I assume with md5
checksum), then it seems APT does not beleive the release is signed with
the 2005 key, or does not know how to 'fall back' to the 2005 key.

-josh

Message-ID: <email address hidden>
Date: Wed, 04 Jan 2006 03:47:03 -0800
From: Edward Buck <email address hidden>
To: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and
 may represent one

I came across the same error this morning. The part that was rather
frustrating is that I had no idea where to find the new key. Only by
returning to the bug report (where Joey H provided a link) was I able to
find it.

http://ftp-master.debian.org/ziyi_key_2006.asc

Most users do not think to check ftp-master.

It would be nice to update the following places (where I looked for the
new key and found none):

* http://www.debian.org/security/faq

There's a link to the old key under Q: How can I check the integrity of
packages?

* keyring.debian.org

I tried to download the new key from the above key server using the key
id and found none.

Also, 'apt-key update' gives one the impression that the problem is
easily fixable but it leads to disappointment.

# apt-key update
ERROR: Can't find the archive-keyring
Is the debian-keyring package installed?

After installing debian-keyring, the same error occurs (presumably
because of changed filenames?). I suspect the new public key is not in
the debian-keyring package anyway.

Regards,
Ed

Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 13:26:26 +0100
From: Jeroen van Wolffelaar <email address hidden>
To: Joshua Rodman <email address hidden>
Cc: Jeroen van Wolffelaar <email address hidden>, <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one

On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > 2005 key and the 2006 key, to have a short transition period. The archive
> > still validates with the 2005 key, which isn't expired yet, and I think APT
> > should not spread too worrysome errors at users while the archive can still
> > be verified.
>
> Not to contradict you, since my understanding of these issues is
> strongly limited, but apt seems to think that it cannot validate the
> archive?

I know, I said "should", because I believe apt should deal with the
multiple signatures correctly, instead of the current behaviour of (it
seems) only looking at the last one and/or requiring all signatures to
verify.

Apt needs to be satisfied with just at least one of the multiple
signatures verifying, so that there can be turnover periods, and for
example third party repositories can have multiple signatures too, for
certain circumstances.

--Jeroen

--
Jeroen van Wolffelaar
<email address hidden> (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Message-Id: <1136378410.6513.21.camel@localhost>
Date: Wed, 04 Jan 2006 13:40:09 +0100
From: Daniel Leidert <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: James Troup <email address hidden>, APT Development Team <email address hidden>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security
 problem, and may represent one

Am Mittwoch, den 04.01.2006, 03:47 -0800 schrieb Edward Buck:

xpost to #345823 and #316344

[..]
> I tried to download the new key from the above key server using the key
> id and found none.
>
> Also, 'apt-key update' gives one the impression that the problem is
> easily fixable but it leads to disappointment.
>
> # apt-key update
> ERROR: Can't find the archive-keyring
> Is the debian-keyring package installed?
>
> After installing debian-keyring, the same error occurs (presumably
> because of changed filenames?). I suspect the new public key is not in
> the debian-keyring package anyway.

Yes. It is more than only a bit disappointing, that this bug is still
unfixed. There are at least 6 or 7 open bugs reports (the oldest with an
age of 188 days), talking about this problem.

So a question to the apt and debian-keyring maintainers: What about

- updating debian-role-keys.gpg to contain the 2006 archiv key
- fixing apt-key to not try to read non-existing keyrings and instead
read debian-role-keys.gpg
- instead trying to remove all keys found in the non-existing
debian-archive-removed-keys.gpg, remove all keys, being expired and
found in debian-role-keys.gpg
- let apt-key update the keyring 1 month before the key expires (needs
updating the debian-role-keys.gpg also one month before a role key
expires)

OR

- add the missing /usr/share/keyrings/debian-archive-keyring.gpg
and /usr/share/keyrings/debian-archive-removed-keys.gpg now

Are there concerns or objections?

Regards, Daniel

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 14:59:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 346002 is serious, merging 346002 345891

# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891

*** Bug 27994 has been marked as a duplicate of this bug. ***

Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 21:17:26 +0000
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks

On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://ftp.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.

Regards,

Adam

*** Bug 27997 has been marked as a duplicate of this bug. ***

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 19:09:29 -0500 (EST)
From: "<email address hidden>" <email address hidden>
To: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one

I use aptitude and I'm sure I don't know all the ins and outs here. But I do have a suggestion for your consideration:

Stop signing the archives with the 2006 key for now. That will allow those who have been using the 2005 key to continue getting updates.

After you have your fixes in place -- and the users have updated their systems with those fixes -- then you can add the 2006 key back in for archive-signing purposes. Maybe you would wait until Feb 1 to start using the 2006 key, for the sake of those who don't update their systems daily. Again, I admittedly don't know all of the ramifications.

I hope that you will, as a part of your fixes, enable users' copies of apt/keyrings to automatically be updated to use the 2006 key based on trust of the 2005 key which they are already using. That would be good for those who don't know about http://ftp-master.debian.org/ziyi_key_2006.asc.

Thank you for considering these possibilities.

Rodger Williams

_______________________________________________
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://www.myway.com

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:36:47 +0100
From: Michael Vogt <email address hidden>
To: Jeroen van Wolffelaar <email address hidden>, <email address hidden>
Cc: Joshua Rodman <email address hidden>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security problem,
 and may represent one

On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > > 2005 key and the 2006 key, to have a short transition period. The archive
> > > still validates with the 2005 key, which isn't expired yet, and I think APT
> > > should not spread too worrysome errors at users while the archive can still
> > > be verified.
> >
> > Not to contradict you, since my understanding of these issues is
> > strongly limited, but apt seems to think that it cannot validate the
> > archive?
>
> I know, I said "should", because I believe apt should deal with the
> multiple signatures correctly, instead of the current behaviour of (it
> seems) only looking at the last one and/or requiring all signatures to
> verify.
>
> Apt needs to be satisfied with just at least one of the multiple
> signatures verifying, so that there can be turnover periods, and for
> example third party repositories can have multiple signatures too, for
> certain circumstances.

Sorry for the late reply. I'm working on fixing the gpgv method to
properly support multiple signatures right now and will (hopefully) do
a upload really soon.

Cheers,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Debian specific

Message-ID: <010301c616ab$31bdf870$eb00010a@andromeda>
Date: Wed, 11 Jan 2006 12:33:15 -0000
From: "Adam D. Barratt" <email address hidden>
To: "jetxee" <email address hidden>,
 <email address hidden>
Subject: Re: Bug#347540: GPG error on update: public key not available

reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks

On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:

> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.it.debian.org testing Release: The following
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.

That's because you're looking in the wrong place. :-)

This is http://bugs.debian.org/345891 against apt and those merged with it.

Merging this report also.

Regards,

Adam

*** Bug 28369 has been marked as a duplicate of this bug. ***