apt: GPG error when updating

Message-ID: <email address hidden>
Date: Wed, 04 Jan 2006 20:25:34 +0100
From: Ferenczi Viktor <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt: GPG error when updating

Package: apt
Version: 0.6.43
Severity: normal

I got an unusal GPG error when updating with apt-get update:

# apt-get update
Let=F6lt=E9s:1 http://ftp.us.debian.org unstable Release.gpg [378B]
Tal=E1lat http://ftp.us.debian.org unstable Release
Mell=F5z http://ftp.us.debian.org unstable Release
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable Release.gpg
Tal=E1lat http://ftp.us.debian.org unstable/main Packages
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable Release
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/main Packages
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/contrib Packages
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/non-free Packages
Tal=E1lat http://ftp.us.debian.org unstable/contrib Packages
Tal=E1lat http://ftp.us.debian.org unstable/non-free Packages
Tal=E1lat http://ftp.us.debian.org unstable/main Sources
Tal=E1lat http://ftp.us.debian.org unstable/contrib Sources
Tal=E1lat http://ftp.us.debian.org unstable/non-free Sources
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/main Sources
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/contrib Sources
Tal=E1lat ftp://ftp.tu-graz.ac.at unstable/non-free Sources
Let=F6ltve 378B 2s alatt (138B/s)
Csomaglist=E1k olvas=E1sa... K=E9sz
W: GPG error: http://ftp.us.debian.org unstable Release: The following si=
gnatures couldn't be verified because the public key is not available: NO=
_PUBKEY 010908312D230C5F
W: Pr=F3b=E1ld futtatni az apt-get update -et, hogy jav=EDtsd ezeket a pr=
obl=E9m=E1kat

Last message (in Hungarian): "Try to rerun apt-get update to resolve prob=
lems"

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "unstable";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";

-- (no /etc/apt/preferences present) --

-- /etc/apt/sources.list --

# Local
#deb file:/var/local/dpkg unstable main

# Debian on s1 + security update
#deb http://192.168.0.1/debian1/ sarge main contrib
#deb http://192.168.0.1/debian2/ sarge main contrib
#deb http://security.debian.org/ stable/updates main contrib

# Hungary
#deb ftp://ftp.hu.debian.org/debian unstable main contrib non-free
#deb-src ftp://ftp.hu.debian.org/debian unstable main...

Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 14:59:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 346002 is serious, merging 346002 345891

# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891

Marking as duplicate based on debbugs merge (345823,346002)

This bug has been marked as a duplicate of bug 27959.

Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 21:17:26 +0000
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks

On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://ftp.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.

Regards,

Adam

Message-ID: <email address hidden>
Date: Thu, 05 Jan 2006 12:02:53 +0100
From: Harald Dunkel <email address hidden>
To: "Adam D. Barratt" <email address hidden>,
 <email address hidden>
CC: Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

--------------enig9E66B182A1A7D41BCBAA66A4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Adam D. Barratt wrote:
> # BTS control commands
> package apt
> # Raising severities as per the rationale in #345891
> severity 346002 serious
> severity 345823 serious
> severity 345956 serious
> merge 346002 345823 345956 345891

This happened before. Please check #316915.

Is there any way to switch this signature checking off?

Many thanx

Harri

--------------enig9E66B182A1A7D41BCBAA66A4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvPzjUTlbRTxpHjcRAodCAJsHmwlJCsYJX/3LSU87wtXMeQfougCeJKPx
EzSvLDdp3F8EO0E0PBGtLJo=
=IVfS
-----END PGP SIGNATURE-----

--------------enig9E66B182A1A7D41BCBAA66A4--

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 10:15:25 +0100
From: Michael Vogt <email address hidden>
To: Harald Dunkel <email address hidden>, <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

On Thu, Jan 05, 2006 at 12:02:53PM +0100, Harald Dunkel wrote:
[..]
> Is there any way to switch this signature checking off?

You can run apt-get with "--allow-unauthenticated" or
APT::Get::AllowUnauthenticated=true in apt.conf

Cheers,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Message-ID: <email address hidden>
Date: Sun, 08 Jan 2006 09:28:24 +0100
From: Harald Dunkel <email address hidden>
To: Michael Vogt <email address hidden>, <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

--------------enig189F900CCF48D69E2C5C6D49
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Michael Vogt wrote:
>
> You can run apt-get with "--allow-unauthenticated" or
> APT::Get::AllowUnauthenticated=true in apt.conf
>

Thanx for the hint, but this option just changed the error
message. Now I get:

W: There are no public key available for the following key IDs:
010908312D230C5F
W: You may want to run apt-get update to correct these problems

Regards

Harri

--------------enig189F900CCF48D69E2C5C6D49
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDwM0tUTlbRTxpHjcRAp28AJ9AQiL4Wqk1czcL00bc/zNTUUw4OQCfT47S
mkq6U1tXqlwBJzDPGmHBGMc=
=+oP/
-----END PGP SIGNATURE-----

--------------enig189F900CCF48D69E2C5C6D49--

Message-ID: <email address hidden>
Date: Sun, 8 Jan 2006 16:05:35 +0100
From: Michael Vogt <email address hidden>
To: Harald Dunkel <email address hidden>, <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> Michael Vogt wrote:
> > You can run apt-get with "--allow-unauthenticated" or
> > APT::Get::AllowUnauthenticated=true in apt.conf
>
> Thanx for the hint, but this option just changed the error
> message. Now I get:
>
> W: There are no public key available for the following key IDs:
> 010908312D230C5F
> W: You may want to run apt-get update to correct these problems

The warning is justified IMHO because the user should be told that
there is are signatures on the Release file for that no public key is
available. The Debian Release should should still be authenticated now
(because it found a valid signature from a trusted key and only a
missing signature) and you should get no authenticated packages
warnings anymore.

Maybe I should reword the warning to make it more clear what it
means?

Cheers,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Message-ID: <email address hidden>
Date: Mon, 9 Jan 2006 13:13:57 -0800 (PST)
From: Mark Hedges <email address hidden>
To: <email address hidden>
cc: <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

> On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> > Michael Vogt wrote:
> > > You can run apt-get with "--allow-unauthenticated" or
> > > APT::Get::AllowUnauthenticated=true in apt.conf
> >
> > Thanx for the hint, but this option just changed the error
> > message. Now I get:
> >
> > W: There are no public key available for the following key IDs:
> > 010908312D230C5F
> > W: You may want to run apt-get update to correct these problems
>
> The warning is justified IMHO because the user should be told that
> there is are signatures on the Release file for that no public key is
> available. The Debian Release should should still be authenticated now
> (because it found a valid signature from a trusted key and only a
> missing signature) and you should get no authenticated packages
> warnings anymore.
>
> Maybe I should reword the warning to make it more clear what it
> means?

I still got this error as of this morning on `apt-get update`:

    W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

  mhedges@mhedges:~$ sudo apt-key update
  ERROR: Can't find the archive-keyring
  Is the debian-keyring package installed?
  mhedges@mhedges:~$ sudo apt-get install debian-keyring
  Reading package lists... Done
  Building dependency tree... Done
  debian-keyring is already the newest version.
  0 upgraded, 0 newly installed, 0 to remove and 64 not upgraded.

I tried installing just the upgrade of apt and apt-utils without
verification but it didn't help. Same error. Is the relevant
key in some other package?

I finally got sick of waiting and answered 'Y' to dist-upgrade's question:

    WARNING: The following packages cannot be authenticated!
    ...
    Install these packages without verification [y/N]? y

After that, I *still* get the same error for `apt-get update`:

    W: There are no public key available for the following key IDs: 010908312D230C5F

Will there be some way to go back and verify package integrity
after this gets fixed? Reinstall these packages?

Thanks for looking into it....

Mark

Message-ID: <email address hidden>
Date: Tue, 10 Jan 2006 10:18:07 +0100
From: Michael Vogt <email address hidden>
To: Mark Hedges <email address hidden>, <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating

On Mon, Jan 09, 2006 at 01:13:57PM -0800, Mark Hedges wrote:
> > On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> > > Michael Vogt wrote:
> > > > You can run apt-get with "--allow-unauthenticated" or
> > > > APT::Get::AllowUnauthenticated=true in apt.conf
> > >
> > > Thanx for the hint, but this option just changed the error
> > > message. Now I get:
> > >
> > > W: There are no public key available for the following key IDs:
> > > 010908312D230C5F
> > > W: You may want to run apt-get update to correct these problems
> >
> > The warning is justified IMHO because the user should be told that
> > there is are signatures on the Release file for that no public key is
> > available. The Debian Release should should still be authenticated now
> > (because it found a valid signature from a trusted key and only a
> > missing signature) and you should get no authenticated packages
> > warnings anymore.
> >
> > Maybe I should reword the warning to make it more clear what it
> > means?
>
> I still got this error as of this morning on `apt-get update`:
>
> W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is excepted as only apt version 0.6.43.1 contains support to
verify against multiple signatures on a Relase file.

> mhedges@mhedges:~$ sudo apt-key update
> ERROR: Can't find the archive-keyring
> Is the debian-keyring package installed?
> mhedges@mhedges:~$ sudo apt-get install debian-keyring
> Reading package lists... Done
> Building dependency tree... Done
> debian-keyring is already the newest version.
> 0 upgraded, 0 newly installed, 0 to remove and 64 not upgraded.
>
> I tried installing just the upgrade of apt and apt-utils without
> verification but it didn't help. Same error. Is the relevant
> key in some other package?

The relevant key is in the debian-archive-keyring package that is not
yet in the archive.

> I finally got sick of waiting and answered 'Y' to dist-upgrade's question:
>
> WARNING: The following packages cannot be authenticated!
> ...
> Install these packages without verification [y/N]? y
>
> After that, I *still* get the same error for `apt-get update`:
>
> W: There are no public key available for the following key IDs: 010908312D230C5F

This is the warning that was discussed above (that probably needs some
rewording, suggestions are welcome). It tells you that there is a
missing key (that in itself is not fatal because of the good signature
on the release file with the 2005 key). So now your packages should
be authenticated again.

> Will there be some way to go back and verify package integrity
> after this gets fixed? Reinstall these packages?

The easiest is to just add the new key with apt-key add by hand. You
can also install the new apt and/or the debian-archive-keyring package
(when it enters the arch...

Message-ID: <010301c616ab$31bdf870$eb00010a@andromeda>
Date: Wed, 11 Jan 2006 12:33:15 -0000
From: "Adam D. Barratt" <email address hidden>
To: "jetxee" <email address hidden>,
 <email address hidden>
Subject: Re: Bug#347540: GPG error on update: public key not available

reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks

On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:

> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.it.debian.org testing Release: The following
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.

That's because you're looking in the wrong place. :-)

This is http://bugs.debian.org/345891 against apt and those merged with it.

Merging this report also.

Regards,

Adam