Bug#698677: debootstrap: 'Release signed by unknown key' should report keyring used

To: submit@bugs.debian.org
Subject: Bug#698677: debootstrap: 'Release signed by unknown key' should report keyring used
From: Walter <walter.stanish@gmail.com>
Date: Tue, 22 Jan 2013 13:00:02 +0800
Message-id: <[🔎] CACwuEiOEJnbEWJW3N-6U6ENb4Bk9jq3Yt=o+epZYM-VT0-guPg@mail.gmail.com>
Reply-to: Walter <walter.stanish@gmail.com>, 698677@bugs.debian.org

Package: debootstrap
Version: 1.0.44

Running debootstrap on Gentoo (where the latest version available is
1.0.44) via 'lxc-create' (to generate an LXC guest environment) I
receive the unhelpful error:

 E: Release signed by unknown key (key id 64481591B98321F9)

I believe that this is possibly/probably because the key validity has
expired, and the Gentoo package's included keyring is no longer fresh.
That's fine and a reported bug at
https://bugs.gentoo.org/show_bug.cgi?id=387565

The issue I am reporting here is that *the error itself is not very
helpful*, specifically at identifying the keyring that requires
maintenance.

Given that:
 (a) There are multiple potential keyring paths acknowledged within
the debootstrap source
 (b) This tool is largely useful on other distributions that, like
gentoo, may understandable modify the keyring path
 (c) This tool is often going to be executed deep within automated
processes (eg. for continuous integration / automated testing, etc.)

It makes sense to extend the output of the error to something more
verbose that includes the keyring path and saves people wasted time
digging.

Two pieces of information should ideally be made available:
 1. The path to the keyring itself
 2. A debian (security/release team?) URL that may be used in third
party distro scripts to validate/update the current/expected signing
key IDs (I suppose, on a per-release basis), which as far as I can
tell does not presently exist in a simple list/automateable fashion
(though data is available in a not-well-documented form @
'active-keys/' in the tarball at
http://packages.debian.org/source/squeeze/debian-archive-keyring). For
the moment the URL could be
http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s7.5.3.6
... to allow users to resolve the issue without relying on (probably
out of date) third-party distros' packages.  That URL should probably
be updated with a more useful line for people without debian (and
therefore apt-key installed), like:

  gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --keyserver
pgpkeys.mit.edu --recv-key 64481591B98321F9
 (Acknowledgement: command line built from post @
https://groups.google.com/forum/?fromgroups=#!topic/linux.debian.bugs.dist/tKv7EYb1HkE
)

 3. In addition, that URL's year-based-path solution appears no longer
valid (at least for 2013).

For reference purposes, the MD5 checksum of my
Gentoo-debootstrap-package-installed keyring prior to manual addition
of the key in question was d091e2e61800b3e5d65f956e05a42f36

PS. Apologies for the verbosity and not splitting the bugs (re: points
2 and 3 above) -- I am not normally a Debian/Ubuntu user and don't
have enough familiarity with project structure to do this efficiently.
Hopefully someone can deal with this on my behalf.

Reply to:

Prev by Date: Re: Fwd: Missing network configuration after installing Wheezy image
Next by Date: Bug#696901: marked as done (chroot-setup.sh: [kfreebsd-*] procfs mounted instead of linprocfs in target)
Previous by thread: Can iso-scan/filename be preseeded in squeeze?
Next by thread: Bug#696901: marked as done (chroot-setup.sh: [kfreebsd-*] procfs mounted instead of linprocfs in target)
Index(es):
- Date
- Thread