Bug#762833: marked as done (apt: Bad handling of external/non-debian package signature keys)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 25 Sep 2014 17:49:32 +0200
with message-id <CAEA6rAy5M5LQGZJ6ZNcy8J5Q+bPFMVk1j2Q57W6rXp2mF2hSVQ@mail.gmail.com>
and subject line Re: Bug#762833: apt: Bad handling of external/non-debian package signature keys
has caused the Debian Bug report #762833,
regarding apt: Bad handling of external/non-debian package signature keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
762833: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762833
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: Bad handling of external/non-debian package signature keys
• From: Eric Valette <eric2.valette@orange.com>
• Date: Thu, 25 Sep 2014 16:51:26 +0200
• Message-id: <[🔎] 20140925145126.21933.49784.reportbug@r-x-ceva6380.rd.francetelecom.fr>
• Reply-to: eric2.valette@orange.com

Package: apt
Version: 1.1~exp3
Severity: important

apt-get update
....

W: GPG error: http://download.virtualbox.org wheezy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54422A4B98AB5139
W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
W: GPG error: http://www.deb-multimedia.org sid InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: GPG error: http://www.deb-multimedia.org experimental InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907

apt-get install --reinstall deb-multimedia-keyring
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
Need to get 0 B/14.4 kB of archives.
After this operation, 0 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  deb-multimedia-keyring
Install these packages without verification? [y/N] y
(Reading database ... 374059 files and directories currently installed.)
Preparing to unpack .../deb-multimedia-keyring_2012.05.10-dmo4_all.deb ...
Unpacking deb-multimedia-keyring (2012.05.10-dmo4) over (2012.05.10-dmo4) ...
Setting up deb-multimedia-keyring (2012.05.10-dmo4) ...
OK
root@r-x-ceva6380:/home/ceva6380# apt-get install --reinstall deb-multimedia-keyring
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
Need to get 0 B/14.4 kB of archives.
After this operation, 0 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  deb-multimedia-keyring
Install these packages without verification? [y/N] ^C

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring  2014.1
ii  gnupg                   1.4.18-4
ii  libapt-pkg4.13          1.1~exp3
ii  libc6                   2.19-11
ii  libgcc1                 1:4.9.1-15
ii  libstdc++6              4.9.1-15

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc     <none>
ii  dpkg-dev    1.17.13
ii  python-apt  0.9.3.10
ii  synaptic    0.81.2

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: eric2.valette@orange.com, 762833-done@bugs.debian.org
• Subject: Re: Bug#762833: apt: Bad handling of external/non-debian package signature keys
• From: Julian Andres Klode <jak@jak-linux.org>
• Date: Thu, 25 Sep 2014 17:49:32 +0200
• Message-id: <CAEA6rAy5M5LQGZJ6ZNcy8J5Q+bPFMVk1j2Q57W6rXp2mF2hSVQ@mail.gmail.com>
• In-reply-to: <[🔎] 20140925145126.21933.49784.reportbug@r-x-ceva6380.rd.francetelecom.fr>
• References: <[🔎] 20140925145126.21933.49784.reportbug@r-x-ceva6380.rd.francetelecom.fr>

On Thu, Sep 25, 2014 at 4:51 PM, Eric Valette <eric2.valette@orange.com> wrote:
> Package: apt
> Version: 1.1~exp3
> Severity: important
>
> apt-get update
> ....
>
> W: GPG error: http://download.virtualbox.org wheezy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54422A4B98AB5139
> W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
> W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
> W: GPG error: http://dl.google.com stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A040830F7FAC5991
> W: GPG error: http://www.deb-multimedia.org sid InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
> W: GPG error: http://www.deb-multimedia.org experimental InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
>
> apt-get install --reinstall deb-multimedia-keyring
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
> Need to get 0 B/14.4 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> WARNING: The following packages cannot be authenticated!
>   deb-multimedia-keyring
> Install these packages without verification? [y/N] y
> (Reading database ... 374059 files and directories currently installed.)
> Preparing to unpack .../deb-multimedia-keyring_2012.05.10-dmo4_all.deb ...
> Unpacking deb-multimedia-keyring (2012.05.10-dmo4) over (2012.05.10-dmo4) ...
> Setting up deb-multimedia-keyring (2012.05.10-dmo4) ...
> OK
> root@r-x-ceva6380:/home/ceva6380# apt-get install --reinstall deb-multimedia-keyring
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
> Need to get 0 B/14.4 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> WARNING: The following packages cannot be authenticated!
>   deb-multimedia-keyring
> Install these packages without verification? [y/N] ^C
>

You need to re-run apt-get update. APT does not verify signatures
outside of update, and does not even store them IIRC in case of
unauthenticated repositories.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

--- End Message ---