[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#698677: marked as done (debootstrap: 'Release signed by unknown key' should report keyring used)

Your message dated Tue, 17 Apr 2018 02:53:56 +0000
with message-id <E1f8Gkm-000DlD-UQ@fasolo.debian.org>
and subject line Bug#698677: fixed in debootstrap 1.0.97
has caused the Debian Bug report #698677,
regarding debootstrap: 'Release signed by unknown key' should report keyring used
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

698677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698677
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debootstrap
Version: 1.0.44

Running debootstrap on Gentoo (where the latest version available is
1.0.44) via 'lxc-create' (to generate an LXC guest environment) I
receive the unhelpful error:

 E: Release signed by unknown key (key id 64481591B98321F9)

I believe that this is possibly/probably because the key validity has
expired, and the Gentoo package's included keyring is no longer fresh.
That's fine and a reported bug at

The issue I am reporting here is that *the error itself is not very
helpful*, specifically at identifying the keyring that requires

Given that:
 (a) There are multiple potential keyring paths acknowledged within
the debootstrap source
 (b) This tool is largely useful on other distributions that, like
gentoo, may understandable modify the keyring path
 (c) This tool is often going to be executed deep within automated
processes (eg. for continuous integration / automated testing, etc.)

It makes sense to extend the output of the error to something more
verbose that includes the keyring path and saves people wasted time

Two pieces of information should ideally be made available:
 1. The path to the keyring itself
 2. A debian (security/release team?) URL that may be used in third
party distro scripts to validate/update the current/expected signing
key IDs (I suppose, on a per-release basis), which as far as I can
tell does not presently exist in a simple list/automateable fashion
(though data is available in a not-well-documented form @
'active-keys/' in the tarball at
http://packages.debian.org/source/squeeze/debian-archive-keyring). For
the moment the URL could be
... to allow users to resolve the issue without relying on (probably
out of date) third-party distros' packages.  That URL should probably
be updated with a more useful line for people without debian (and
therefore apt-key installed), like:

  gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --keyserver
pgpkeys.mit.edu --recv-key 64481591B98321F9
 (Acknowledgement: command line built from post @

 3. In addition, that URL's year-based-path solution appears no longer
valid (at least for 2013).

For reference purposes, the MD5 checksum of my
Gentoo-debootstrap-package-installed keyring prior to manual addition
of the key in question was d091e2e61800b3e5d65f956e05a42f36

PS. Apologies for the verbosity and not splitting the bugs (re: points
2 and 3 above) -- I am not normally a Debian/Ubuntu user and don't
have enough familiarity with project structure to do this efficiently.
Hopefully someone can deal with this on my behalf.

--- End Message ---
--- Begin Message ---
Source: debootstrap
Source-Version: 1.0.97

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698677@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Hideki Yamane <henrich@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Tue, 17 Apr 2018 11:06:32 +0900
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.97
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 698677 826709 844118 866401 872059 872577 872948 890419 893954 895466
 debootstrap (1.0.97) unstable; urgency=medium
   [ Dan Nicholson ]
   * Handle existing /dev (Closes: #872577)
   [ Hideki Yamane ]
   * Create /dev/console as same as previous (Closes: #872059)
   * Do not ignore HTTPS mirror setting (Closes: #893954)
   * Improve manpage "what is calls a Debian base system" (Closes: #872948)
     Thanks to Emmanuel Kasper <manu@debian.org> for the patch
   * Improve error message when download fails (Closes: #866401)
     Thanks to Raphaël Hertzog <hertzog@debian.org> for the patch
   * Use wget --non-verbose option instead of --quiet
   * Improve error message on Release signed by unknown key (Closes: #698677)
   * Add --cache-dir feature (Closes: #844118)
     It is enabled by default and use /var/cache/apt/archives as default value
   [ Adam Borowski ]
   * Use arch-test if installed to check whether second stage is possible.
     (Closes: #826709)
   [ Lubomir Rintel ]
   * Fix boostrapping libvirt LXC containers (Closes: #890419)
   [ Raphaël Hertzog ]
   * Use "command -v apt-config" to check for apt-config's presence
     (Closes: #895466)
   * Drop default value for --cache-dir parameter
   * Forbid the usage of non-empty directories with --print-debs and
   * Do not use HTTPS for Kali bootstrap script
 dec58e328c8ca5a62ed929cba1323a21d053c960 1991 debootstrap_1.0.97.dsc
 ff4d6b40efebbbf14c33445419e8e264cf4c04c8 71121 debootstrap_1.0.97.tar.gz
 c2d21436e905fc28eb141fd25542c1d1d748f003 20556 debootstrap-udeb_1.0.97_all.udeb
 5eba09250171942f0b7483759285c85c24e82e74 69060 debootstrap_1.0.97_all.deb
 5cf71f8a36c995632a5d7ae31320941c907b56fa 5766 debootstrap_1.0.97_amd64.buildinfo
 9b0dc362f97976833c1f148d00933c85a0095525885ad1a6845e81671d4aabdd 1991 debootstrap_1.0.97.dsc
 d3e6bef403dbabade11d098214030d5063c6b238d3751b159f727af7556c5cf0 71121 debootstrap_1.0.97.tar.gz
 b4f377d7e40b5128271dca859d924e79c36fc7d1c86408f91a474ad2c669f6e9 20556 debootstrap-udeb_1.0.97_all.udeb
 0177ffecea5cc1a42084ae02a44d8e902a086577cefc00194b983fd7f3d802a7 69060 debootstrap_1.0.97_all.deb
 c9d57dd2f298f41fd5d56badca0d88898b8797e7b5755db1b62e7b14cf99af02 5766 debootstrap_1.0.97_amd64.buildinfo
 355d536a46a764b9f798e977ffdf0acf 1991 admin optional debootstrap_1.0.97.dsc
 856379c44f4cec4be4071a91e061aafd 71121 admin optional debootstrap_1.0.97.tar.gz
 11ae2cd66f0ec42d94edda0a876fcb5a 20556 debian-installer optional debootstrap-udeb_1.0.97_all.udeb
 e1844d1cfb966c00101048bb9285f002 69060 admin optional debootstrap_1.0.97_all.deb
 e1d959b6ca11fbca1d18a15bb9403248 5766 admin optional debootstrap_1.0.97_amd64.buildinfo



--- End Message ---

Reply to: