any source package signature is not valid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In short:
The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!)
How to reproduce:
$ apt-get source linux-image-$(uname -r)
...
Picking 'linux' as source package instead of 'linux-
...
Get:2 http://
...
gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux_
...
### if you add this key:
$ sudo apt-key adv --keyserver keyserver.
$ apt-key list
...
pub 4096R/105BE7F7 2011-09-06
uid Brad Figg <email address hidden>
sub 4096R/F336E4D5 2011-09-06
pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
uid Brad Figg <email address hidden>
### THE KEY IS REVOKED 4 MONTHS AGO!
### Additional info:
$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
### My unmodified /etc/apt/
### Note, /etc/apt/
affects: | xubuntu-meta (Ubuntu) → ubuntu |
information type: | Private Security → Public Security |
affects: | ubuntu → apt (Ubuntu) |
Thanks for the bug report.
This isn't as dire as it looks:
APT's security model is based on signed InRelease files that have sha256sums of all archive contents. In this case, the InRelease file will have a sha256sum for one of the Sources files, and that file will have a sha256sum for the linux source package files:
Checksums-Sha256: 68b2d5f71906aea 181a8f7c9e195c4 cc3252a085962bb f4f4d 9611 linux_4. 4.0-53. 74.dsc a9bc934ccb300ea edfdf44994ca9ee 1d07a46901c46c2 21357 132860730 linux_4. 4.0.orig. tar.gz 858f26fb539e39e 07724c676a8eca8 4239c850fa87c29 00b0e 12162206 linux_4. 4.0-53. 74.diff. gz
5c1141401c8f34
730e75919b5d30
5ad7a47f2bcb66
If these sha256sums don't match what was downloaded, apt itself would throw an error.
All these files are in /var/lib/apt/lists/ .
The .dsc file is signed by whoever uploads the package for building to our buildfarm. Developers' keys change all the time. It's still useful to have the .dsc file to see what the builders saw, regardless if the signature on the file is from an expired key or not.
Now, where things get really interesting: You've used a 32 bit keyid to download the key from the keyservers. 32 bit keyids are not safe to use in this manner because it's relatively simple to generate keys with colliding 32 bit keyids. This was done for all keys in the 'strongly connected set' a few years ago, including Brad's key. When someone uploaded all these keys to the SKS keyservers, it was insanely confusing. So, the group that generated all the colliding keys generated revocation certificates for all the keys and uploaded them all, to kill them.
So, your command to download the key by 32 bit keyid downloaded _two_ keys -- Brad's real key, "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7", is not revoked:
$ gpg --check-sigs "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7" 05BE7F7 2011-09-06 336E4D5 2011-09-06
pub 4096R/0C7B589B1
uid Brad Figg <email address hidden>
sig! 052F367018D5C3D8 2012-01-09 John Johansen <email address hidden>
sig! 5759F35001AA4A64 2011-12-10 Steve Langasek <email address hidden>
sig! 3D76C845FA1447CA 2011-09-06 Tim Gardner (4K key) <email address hidden>
sig! 8972F4DFDC6DC026 2011-12-09 Kees Cook <email address hidden>
sig! 2F099E8D005E81F4 2011-12-09 Steve Beattie <email address hidden>
sig-3 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>
sig!3 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>
sub 4096R/E79D7BDFF
sig! 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>
1 bad signature
14 signatures not checked due to missing keys
My output may look different from yours because I added this to my ~/.gnupg/gpg.conf file:
keyid-format long
For more information, see https:/ /evil32. com/
Thanks