Launchpad itself

copied binaries require origin ppa key to determine trustiness

Bug #608302 reported by X3
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Invalid
Undecided
Unassigned

Bug Description

When packages exist in one ppa e.g. ppa A and the binaries are copied directly to a second ppa e.g. ppa B, the ppa where the packages where copied to ppa B if added to sources reports packages are untrusted.

The fix is to have to use ppa A key added as well.

Packages should not depend on origin ppa for determination of trustiness.

No information or warning is apparent nor is information on how to fix or deal with this, workarounds etc.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

The situation described here is impossible - copied binaries are re-published in the target archive which has a signed Releases file (packages themselves are not signed).

There will be another explanation somewhere, like transparent proxies.

Changed in launchpad:
status: New → Invalid
Revision history for this message
Julian Edwards (julian-edwards) wrote :

After some discussion it appears that the signing key for the PPA was not generated yet after the first packages had been copied in.

Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 608302] Re: copied binaries require origin ppa key to determine trustiness

On Wed, Jul 21, 2010 at 5:52 PM, Julian Edwards
<email address hidden> wrote:
> After some discussion it appears that the signing key for the PPA was
> not generated yet after the first packages had been copied in.

So they were published unsigned?

Revision history for this message
X3 (x3lectric) wrote :

@ Robert Collins

because key wasn't available the install triggers security warning, funny thing is that the key imported just fine no errors were detected and key is visible on a source manager or similar.

@ Julian Edwards

It seems that the key was the issue indeed.:( Launchpad should have a key status or similar so that a user is aware of what stage the key is at, it would make things slightly easier.

If a key isn't ready the importing of key/ppa should trigger something as well, kill two stones with one bird. ;P

Thanks for all the help in #launchpad

Regards

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.