apt: Key error at year turnover resembles security problem, and may represent one
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Debian) |
Fix Released
|
Unknown
|
|||
apt (Ubuntu) |
Invalid
|
High
|
Michael Vogt |
Bug Description
Automatically imported from Debian bug report #345823 http://
In Debian Bug tracker #345823, Jeroen van Wolffelaar (jeroenvw) wrote : | #1 |
In Debian Bug tracker #345823, Joey Hess (joeyh) wrote : apt multiple sig behavior | #2 |
FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:
joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <email address hidden>"
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <email address hidden>"
now if I remove the old key:
joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <email address hidden>"
zsh: exit 2 gpgv --keyring ~/trusted.gpg Release.gpg Release
So multiply signed Release files will also break d-i, which uses gpg
as above.
debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.
I'm working on making d-i use the same technique as debootstrap now.
--
see shy jo
In Debian Bug tracker #345823, Christian Perrier (bubulle) wrote : severity of 345823 is serious | #3 |
# Automatically generated email from bts, devscripts version 2.9.10
severity 345823 serious
In Debian Bug tracker #345823, Christian Perrier (bubulle) wrote : tagging 345823 | #4 |
# Automatically generated email from bts, devscripts version 2.9.10
tags 345823 d-i
In Debian Bug tracker #345823, Christian Perrier (bubulle) wrote : merging 345823 345891 | #5 |
# Automatically generated email from bts, devscripts version 2.9.10
merge 345823 345891
Debian Bug Importer (debzilla) wrote : | #6 |
Automatically imported from Debian bug report #345823 http://
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 10:58:28 -0800
From: Joshua Rodman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt: Key error at year turnover resembles security problem, and may represent one
Package: apt
Version: 0.6.43
Severity: normal
Since the year has turned over, apt-get update now produces the error:
[...]
Reading package lists... Done
W: GPG error: http://
W: GPG error: http://
Because the release key is not provided via an automated mechanism.
Leaveing aside that the means for getting a new key are not documented
in /usr/share/doc/apt or apt-doc, there is the additional issue that
undocumented, this looks like the debian servers may be compromised.
Secondarily, the recipes I can find for updating to the new release key
do not make clear whether the new release key is verifiable in any way.
I am worried that debian may be violating its trust model once a year.
-- Package-specific info:
-- apt-config dump --
APT "";
APT::Architecture "i386";
APT::Build-
APT::Build-
APT::Default-
APT::Cache-Limit "10000000";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State:
Dir::State::status "/var/lib/
Dir::Cache "var/cache/apt/";
Dir::Cache:
Dir::Cache:
Dir::Cache:
Dir::Etc "etc/apt/";
Dir::Etc:
Dir::Etc:
Dir::Etc:
Dir::Etc:
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc:
Dir::Bin "";
Dir::Bin::methods "/usr/lib/
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-
DPkg::Pre-
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/
DPkg::Post-Invoke:: "if [ -x /usr/sbin/
Acquire "";
Acquire::http "";
Acquire:
-- /etc/apt/
Package: *
Pin: release a=testing
Pin-Priority: 900
Package: *
Pin: release a=etch
Pin-Priority: 900
Package: *
Pin: release o=Debian
Pin-Priority: -10
-- /etc/apt/
deb file:/var/
# Testing sources
deb http://
# sonic mirrors binaries (slowly!!!)
#deb ftp://ftp.
deb-src http://
#deb http://
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 03:01:35 +0100
From: Jeroen van Wolffelaar <email address hidden>
To: Joshua Rodman <email address hidden>, <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
On Tue, Jan 03, 2006 at 10:58:28AM -0800, Joshua Rodman wrote:
> Since the year has turned over, apt-get update now produces the error:
> [...]
> Reading package lists... Done
> W: GPG error: http://
> W: GPG error: http://
Fwiw, the Release.gpg file contains two signatures now, both one with the
2005 key and the 2006 key, to have a short transition period. The archive
still validates with the 2005 key, which isn't expired yet, and I think APT
should not spread too worrysome errors at users while the archive can still
be verified. Only when the 2005 expires and the user still hasn't imported
the 2006 key (some mechanism needs to be implemented for that for it to
happen cleanly and in a user-frienly way) apt should really bail out on the
user.
--Jeroen
--
Jeroen van Wolffelaar
<email address hidden>
http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 22:50:41 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: apt multiple sig behavior
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-
Content-
FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:
joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftp=
<email address hidden>>"
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftp=
<email address hidden>>"
now if I remove the old key:
joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftp=
<email address hidden>>"
zsh: exit 2 gpgv --keyring ~/trusted.gpg Release.gpg Release
So multiply signed Release files will also break d-i, which uses gpg
as above.
debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.
I'm working on making d-i use the same technique as debootstrap now.
--=20
see shy jo
--jRHKVT23PllUwdXP
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDu0YQd8H
oUKFjvzmPENX0+
=bCWN
-----END PGP SIGNATURE-----
--jRHKVT23PllUw
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:46:56 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: severity of 345823 is serious
# Automatically generated email from bts, devscripts version 2.9.10
severity 345823 serious
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:16 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: tagging 345823
# Automatically generated email from bts, devscripts version 2.9.10
tags 345823 d-i
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:29 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: merging 345823 345891
# Automatically generated email from bts, devscripts version 2.9.10
merge 345823 345891
Debian Bug Importer (debzilla) wrote : | #13 |
*** Bug 27955 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #345823, Joshua Rodman (jrodman) wrote : | #14 |
On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> Fwiw, the Release.gpg file contains two signatures now, both one with the
> 2005 key and the 2006 key, to have a short transition period. The archive
> still validates with the 2005 key, which isn't expired yet, and I think APT
> should not spread too worrysome errors at users while the archive can still
> be verified.
Not to contradict you, since my understanding of these issues is
strongly limited, but apt seems to think that it cannot validate the
archive?
Running: su -c "apt-get upgrade"
[...]
The following packages will be upgraded:
liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip
[...]
WARNING: The following packages cannot be authenticated!
libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors
If understand that the whole release is what is signed, and that then
the urls in the release are therefore trusted (I assume with md5
checksum), then it seems APT does not beleive the release is signed with
the 2005 key, or does not know how to 'fall back' to the 2005 key.
-josh
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 02:41:30 -0800
From: Joshua Rodman <email address hidden>
To: Jeroen van Wolffelaar <email address hidden>
Cc: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> Fwiw, the Release.gpg file contains two signatures now, both one with the
> 2005 key and the 2006 key, to have a short transition period. The archive
> still validates with the 2005 key, which isn't expired yet, and I think APT
> should not spread too worrysome errors at users while the archive can still
> be verified.
Not to contradict you, since my understanding of these issues is
strongly limited, but apt seems to think that it cannot validate the
archive?
Running: su -c "apt-get upgrade"
[...]
The following packages will be upgraded:
liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip
[...]
WARNING: The following packages cannot be authenticated!
libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors
If understand that the whole release is what is signed, and that then
the urls in the release are therefore trusted (I assume with md5
checksum), then it seems APT does not beleive the release is signed with
the 2005 key, or does not know how to 'fall back' to the 2005 key.
-josh
In Debian Bug tracker #345823, Edward Buck (ed-bashware) wrote : | #16 |
I came across the same error this morning. The part that was rather
frustrating is that I had no idea where to find the new key. Only by
returning to the bug report (where Joey H provided a link) was I able to
find it.
http://
Most users do not think to check ftp-master.
It would be nice to update the following places (where I looked for the
new key and found none):
* http://
There's a link to the old key under Q: How can I check the integrity of
packages?
* keyring.debian.org
I tried to download the new key from the above key server using the key
id and found none.
Also, 'apt-key update' gives one the impression that the problem is
easily fixable but it leads to disappointment.
# apt-key update
ERROR: Can't find the archive-keyring
Is the debian-keyring package installed?
After installing debian-keyring, the same error occurs (presumably
because of changed filenames?). I suspect the new public key is not in
the debian-keyring package anyway.
Regards,
Ed
In Debian Bug tracker #345823, Jeroen van Wolffelaar (jeroenvw) wrote : | #17 |
On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > 2005 key and the 2006 key, to have a short transition period. The archive
> > still validates with the 2005 key, which isn't expired yet, and I think APT
> > should not spread too worrysome errors at users while the archive can still
> > be verified.
>
> Not to contradict you, since my understanding of these issues is
> strongly limited, but apt seems to think that it cannot validate the
> archive?
I know, I said "should", because I believe apt should deal with the
multiple signatures correctly, instead of the current behaviour of (it
seems) only looking at the last one and/or requiring all signatures to
verify.
Apt needs to be satisfied with just at least one of the multiple
signatures verifying, so that there can be turnover periods, and for
example third party repositories can have multiple signatures too, for
certain circumstances.
--Jeroen
--
Jeroen van Wolffelaar
<email address hidden> (also for Jabber & MSN; ICQ: 33944357)
http://
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Wed, 04 Jan 2006 03:47:03 -0800
From: Edward Buck <email address hidden>
To: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and
may represent one
I came across the same error this morning. The part that was rather
frustrating is that I had no idea where to find the new key. Only by
returning to the bug report (where Joey H provided a link) was I able to
find it.
http://
Most users do not think to check ftp-master.
It would be nice to update the following places (where I looked for the
new key and found none):
* http://
There's a link to the old key under Q: How can I check the integrity of
packages?
* keyring.debian.org
I tried to download the new key from the above key server using the key
id and found none.
Also, 'apt-key update' gives one the impression that the problem is
easily fixable but it leads to disappointment.
# apt-key update
ERROR: Can't find the archive-keyring
Is the debian-keyring package installed?
After installing debian-keyring, the same error occurs (presumably
because of changed filenames?). I suspect the new public key is not in
the debian-keyring package anyway.
Regards,
Ed
In Debian Bug tracker #345823, Daniel Leidert (dleidert-deactivatedaccount) wrote : Re: Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one | #19 |
Am Mittwoch, den 04.01.2006, 03:47 -0800 schrieb Edward Buck:
xpost to #345823 and #316344
[..]
> I tried to download the new key from the above key server using the key
> id and found none.
>
> Also, 'apt-key update' gives one the impression that the problem is
> easily fixable but it leads to disappointment.
>
> # apt-key update
> ERROR: Can't find the archive-keyring
> Is the debian-keyring package installed?
>
> After installing debian-keyring, the same error occurs (presumably
> because of changed filenames?). I suspect the new public key is not in
> the debian-keyring package anyway.
Yes. It is more than only a bit disappointing, that this bug is still
unfixed. There are at least 6 or 7 open bugs reports (the oldest with an
age of 188 days), talking about this problem.
So a question to the apt and debian-keyring maintainers: What about
- updating debian-
- fixing apt-key to not try to read non-existing keyrings and instead
read debian-
- instead trying to remove all keys found in the non-existing
debian-
found in debian-
- let apt-key update the keyring 1 month before the key expires (needs
updating the debian-
expires)
OR
- add the missing /usr/share/
and /usr/share/
Are there concerns or objections?
Regards, Daniel
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Wed, 4 Jan 2006 13:26:26 +0100
From: Jeroen van Wolffelaar <email address hidden>
To: Joshua Rodman <email address hidden>
Cc: Jeroen van Wolffelaar <email address hidden>, <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > 2005 key and the 2006 key, to have a short transition period. The archive
> > still validates with the 2005 key, which isn't expired yet, and I think APT
> > should not spread too worrysome errors at users while the archive can still
> > be verified.
>
> Not to contradict you, since my understanding of these issues is
> strongly limited, but apt seems to think that it cannot validate the
> archive?
I know, I said "should", because I believe apt should deal with the
multiple signatures correctly, instead of the current behaviour of (it
seems) only looking at the last one and/or requiring all signatures to
verify.
Apt needs to be satisfied with just at least one of the multiple
signatures verifying, so that there can be turnover periods, and for
example third party repositories can have multiple signatures too, for
certain circumstances.
--Jeroen
--
Jeroen van Wolffelaar
<email address hidden> (also for Jabber & MSN; ICQ: 33944357)
http://
Debian Bug Importer (debzilla) wrote : | #21 |
Message-Id: <1136378410.
Date: Wed, 04 Jan 2006 13:40:09 +0100
From: Daniel Leidert <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: James Troup <email address hidden>, APT Development Team <email address hidden>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security
problem, and may represent one
Am Mittwoch, den 04.01.2006, 03:47 -0800 schrieb Edward Buck:
xpost to #345823 and #316344
[..]
> I tried to download the new key from the above key server using the key
> id and found none.
>
> Also, 'apt-key update' gives one the impression that the problem is
> easily fixable but it leads to disappointment.
>
> # apt-key update
> ERROR: Can't find the archive-keyring
> Is the debian-keyring package installed?
>
> After installing debian-keyring, the same error occurs (presumably
> because of changed filenames?). I suspect the new public key is not in
> the debian-keyring package anyway.
Yes. It is more than only a bit disappointing, that this bug is still
unfixed. There are at least 6 or 7 open bugs reports (the oldest with an
age of 188 days), talking about this problem.
So a question to the apt and debian-keyring maintainers: What about
- updating debian-
- fixing apt-key to not try to read non-existing keyrings and instead
read debian-
- instead trying to remove all keys found in the non-existing
debian-
found in debian-
- let apt-key update the keyring 1 month before the key expires (needs
updating the debian-
expires)
OR
- add the missing /usr/share/
and /usr/share/
Are there concerns or objections?
Regards, Daniel
In Debian Bug tracker #345823, Joey Hess (joeyh) wrote : severity of 346002 is serious, merging 346002 345891 | #22 |
# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891
Debian Bug Importer (debzilla) wrote : | #23 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 14:59:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 346002 is serious, merging 346002 345891
# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891
Debian Bug Importer (debzilla) wrote : | #24 |
*** Bug 27994 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #345823, Adam D. Barratt (debian-bts-adam-barratt) wrote : Re: Bug#346002: apt: GPG error when updating | #25 |
# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks
On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://
This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.
Regards,
Adam
Debian Bug Importer (debzilla) wrote : | #26 |
Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 21:17:26 +0000
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating
# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks
On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://
This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.
Regards,
Adam
Debian Bug Importer (debzilla) wrote : | #27 |
*** Bug 27997 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #345823, debian-unstable@myway.com (debian-unstable) wrote : | #28 |
I use aptitude and I'm sure I don't know all the ins and outs here. But I do have a suggestion for your consideration:
Stop signing the archives with the 2006 key for now. That will allow those who have been using the 2005 key to continue getting updates.
After you have your fixes in place -- and the users have updated their systems with those fixes -- then you can add the 2006 key back in for archive-signing purposes. Maybe you would wait until Feb 1 to start using the 2006 key, for the sake of those who don't update their systems daily. Again, I admittedly don't know all of the ramifications.
I hope that you will, as a part of your fixes, enable users' copies of apt/keyrings to automatically be updated to use the 2006 key based on trust of the 2005 key which they are already using. That would be good for those who don't know about http://
Thank you for considering these possibilities.
Rodger Williams
_______
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://
Debian Bug Importer (debzilla) wrote : | #29 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 19:09:29 -0500 (EST)
From: "<email address hidden>" <email address hidden>
To: <email address hidden>
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
I use aptitude and I'm sure I don't know all the ins and outs here. But I do have a suggestion for your consideration:
Stop signing the archives with the 2006 key for now. That will allow those who have been using the 2005 key to continue getting updates.
After you have your fixes in place -- and the users have updated their systems with those fixes -- then you can add the 2006 key back in for archive-signing purposes. Maybe you would wait until Feb 1 to start using the 2006 key, for the sake of those who don't update their systems daily. Again, I admittedly don't know all of the ramifications.
I hope that you will, as a part of your fixes, enable users' copies of apt/keyrings to automatically be updated to use the 2006 key based on trust of the 2005 key which they are already using. That would be good for those who don't know about http://
Thank you for considering these possibilities.
Rodger Williams
_______
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://
In Debian Bug tracker #345823, Michael Vogt (mvo) wrote : Re: Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one | #30 |
On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > > 2005 key and the 2006 key, to have a short transition period. The archive
> > > still validates with the 2005 key, which isn't expired yet, and I think APT
> > > should not spread too worrysome errors at users while the archive can still
> > > be verified.
> >
> > Not to contradict you, since my understanding of these issues is
> > strongly limited, but apt seems to think that it cannot validate the
> > archive?
>
> I know, I said "should", because I believe apt should deal with the
> multiple signatures correctly, instead of the current behaviour of (it
> seems) only looking at the last one and/or requiring all signatures to
> verify.
>
> Apt needs to be satisfied with just at least one of the multiple
> signatures verifying, so that there can be turnover periods, and for
> example third party repositories can have multiple signatures too, for
> certain circumstances.
Sorry for the late reply. I'm working on fixing the gpgv method to
properly support multiple signatures right now and will (hopefully) do
a upload really soon.
Cheers,
Michael
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Debian Bug Importer (debzilla) wrote : | #31 |
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:36:47 +0100
From: Michael Vogt <email address hidden>
To: Jeroen van Wolffelaar <email address hidden>, <email address hidden>
Cc: Joshua Rodman <email address hidden>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security problem,
and may represent one
On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > > 2005 key and the 2006 key, to have a short transition period. The archive
> > > still validates with the 2005 key, which isn't expired yet, and I think APT
> > > should not spread too worrysome errors at users while the archive can still
> > > be verified.
> >
> > Not to contradict you, since my understanding of these issues is
> > strongly limited, but apt seems to think that it cannot validate the
> > archive?
>
> I know, I said "should", because I believe apt should deal with the
> multiple signatures correctly, instead of the current behaviour of (it
> seems) only looking at the last one and/or requiring all signatures to
> verify.
>
> Apt needs to be satisfied with just at least one of the multiple
> signatures verifying, so that there can be turnover periods, and for
> example third party repositories can have multiple signatures too, for
> certain circumstances.
Sorry for the late reply. I'm working on fixing the gpgv method to
properly support multiple signatures right now and will (hopefully) do
a upload really soon.
Cheers,
Michael
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Dennis Kaarsemaker (dennis) wrote : | #32 |
Debian specific
In Debian Bug tracker #345823, Adam D. Barratt (debian-bts-adam-barratt) wrote : Re: Bug#347540: GPG error on update: public key not available | #33 |
reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks
On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:
> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.
That's because you're looking in the wrong place. :-)
This is http://
Merging this report also.
Regards,
Adam
Debian Bug Importer (debzilla) wrote : | #34 |
Message-ID: <010301c616ab$
Date: Wed, 11 Jan 2006 12:33:15 -0000
From: "Adam D. Barratt" <email address hidden>
To: "jetxee" <email address hidden>,
<email address hidden>
Subject: Re: Bug#347540: GPG error on update: public key not available
reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks
On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:
> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.
That's because you're looking in the wrong place. :-)
This is http://
Merging this report also.
Regards,
Adam
Debian Bug Importer (debzilla) wrote : | #35 |
*** Bug 28369 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #345823, Joey Hess (joeyh) wrote : shouldn't this bug be closed? | #36 |
mvo wrote:
> Sorry for the late reply. I'm working on fixing the gpgv method to
> properly support multiple signatures right now and will (hopefully) do
> a upload really soon.
And the next day uploaded apt 0.6.43.1 with:
* deal with multiple signatures on a Release file
And AFAIK we've thuroughly sorted out the other issues, so I see no
reason for this RC bug to remain open.
--
see shy jo
In Debian Bug tracker #345823, Joey Hess (joeyh) wrote : closing this bug | #37 |
Version: 0.6.43.1
I don't think this bug needs to remain open, like I said before. If you
disagree, feel free to reopen it.
--
see shy jo
On Tue, Jan 03, 2006 at 10:58:28AM -0800, Joshua Rodman wrote: http.us. debian. org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F http.us. debian. org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
> Since the year has turned over, apt-get update now produces the error:
> [...]
> Reading package lists... Done
> W: GPG error: http://
> W: GPG error: http://
Fwiw, the Release.gpg file contains two signatures now, both one with the
2005 key and the 2006 key, to have a short transition period. The archive
still validates with the 2005 key, which isn't expired yet, and I think APT
should not spread too worrysome errors at users while the archive can still
be verified. Only when the 2005 expires and the user still hasn't imported
the 2006 key (some mechanism needs to be implemented for that for it to
happen cleanly and in a user-frienly way) apt should really bail out on the
user.
--Jeroen
-- jeroen. A-Eskwadraat. nl
Jeroen van Wolffelaar
<email address hidden>
http://