Bug#851774: marked as done (Stop using apt-key add to add keys in generators/60local)

Subject: Bug#851774: marked as done (Stop using apt-key add to add keys in generators/60local)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Fri, 12 Jul 2019 09:09:05 +0000

Message-id: <[🔎] handler.851774.D851774.156292246828815.ackdone@bugs.debian.org>

References: <E1hlrWr-0004ac-G0@fasolo.debian.org> <CAM+PWT0Yx4YK63J=84zA2dvhXwjGROxC72AhEE=7uGnOs+mbcg@mail.gmail.com>

Your message dated Fri, 12 Jul 2019 09:07:45 +0000 with message-id <E1hlrWr-0004ac-G0@fasolo.debian.org> and subject line Bug#851774: fixed in apt-setup 1:0.151 has caused the Debian Bug report #851774, regarding Stop using apt-key add to add keys in generators/60local to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 851774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Stop using apt-key add to add keys in generators/60local
From: Marga Manterola <marga@google.com>
Date: Wed, 18 Jan 2017 16:43:41 +0000
Message-id: <CAM+PWT0Yx4YK63J=84zA2dvhXwjGROxC72AhEE=7uGnOs+mbcg@mail.gmail.com>

Package: apt-setup

Version: 1:0.123

Severity: serious

For a long time it's been possible to preseed a local repository that has it's own keyring. However, with the latest changes related to gpg dependencies getting dropped in apt, this is no longer possible.

I'm setting severity as serious as adviced by Julien Cristau on IRC. With the current state of things, in order to install a local repository with a keyring the user needs to somehow create a script that will put the keyring in place before 60local runs, and not preseed the keyring at all. If the keyring is preseeded, *the whole installation will fail* because apt-key add fails which causes 60local to fail, which causes the install base system step to fail.

This is the offending code:

https://sources.debian.net/src/apt-setup/1:0.123/generators/60local/#L33

This is using the deprecated apt-key add functionality. From the apt-key manpage:

COMMANDS

add filename

(...)

Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.

So, the right thing to do is to copy the file to the right path instead of calling apt-key add with it.

This was fixed in pbuilder back in September:

pbuilder (0.226.1) unstable; urgency=medium

[ James Clarke ]

* modules: add_additional_aptkeyrings:

Copy keyrings to /etc/apt/trusted.gpg.d instead of using apt-key.

We can no longer rely on being able to use apt-key in a minimal chroot,

because gnupg has been demoted to a Recommends in apt. Instead, the

keyrings can be copied directly into /etc/apt/trusted.gpg.d.

Moreover, `apt-key` usage has been discuraged over the past years.

This means that using the APTKEYRINGS option of pbuilder won't actually

work with chroots older than squeeze (APT version 0.7.25.1)

Regards,

Marga

Cheers,

Marga

--- End Message ---

--- Begin Message ---

To: 851774-close@bugs.debian.org
Subject: Bug#851774: fixed in apt-setup 1:0.151
From: Cyril Brulebois <kibi@debian.org>
Date: Fri, 12 Jul 2019 09:07:45 +0000
Message-id: <E1hlrWr-0004ac-G0@fasolo.debian.org>

Source: apt-setup
Source-Version: 1:0.151

We believe that the bug you reported is fixed in the latest version of
apt-setup, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851774@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated apt-setup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Jul 2019 10:49:08 +0200
Source: apt-setup
Binary: apt-setup-udeb apt-mirror-setup apt-cdrom-setup
Architecture: source
Version: 1:0.151
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
 apt-cdrom-setup - set up a CD in sources.list (udeb)
 apt-mirror-setup - set up a mirror in sources.list (udeb)
 apt-setup-udeb - Configure apt (udeb)
Closes: 851774 928931
Changes:
 apt-setup (1:0.151) unstable; urgency=medium
 .
   [ Moritz Mühlenhoff ]
   * When preseeding a local repository via apt-setup/localX/repository,
     the repository key for Secure Apt needs to be configured with
     apt-setup/localX/key. This key used to be set up with apt-key, but
     its use is deprecated and apt's former dependency on gnupg has been
     demoted to a Suggests, rendering apt-key non-functional in d-i.
     Apply a patch by Lars Kollstedt (thanks!) which adds the repository
     key(s) to /etc/apt/trusted.gpg.d, following the approach used by
     pbuilder (Closes: #851774, #928931):
      - .asc suffix if the key file seems to be armoured ASCII (i.e. it
        contains a “-----BEGIN PGP PUBLIC KEY BLOCK-----” line);
      - .gpg suffix otherwise. Please note that only “GPG key public ring”
        are supported by APT, newer “keybox database” format isn't at the
        moment.
 .
   [ Updated translations ]
   * Arabic (ar.po) by ButterflyOfFire
   * Hindi (hi.po) by KushagraKarira
   * Croatian (hr.po) by gogogogi
Checksums-Sha1:
 873d1cbdecb6870bd2a9922ccf60e41da93674d3 1794 apt-setup_0.151.dsc
 02c3ff88efefae0e470a350b774b1c2f5b27517f 253924 apt-setup_0.151.tar.xz
 a5f3d244a31942f8ca10e52e04fa6b03adce2434 5839 apt-setup_0.151_source.buildinfo
Checksums-Sha256:
 3b46043bff00cbe098df1c81552c60126cf2636e855617525382bd4e28f45bf1 1794 apt-setup_0.151.dsc
 b46dc2864f1e3dd8a33fe01cd7043194d63c0c0a16de6f3a50a4fc6c012ea27a 253924 apt-setup_0.151.tar.xz
 d2901e65a37588e04a3b9af7d4e36f54051cb9571ea210eff4182fc47a345696 5839 apt-setup_0.151_source.buildinfo
Files:
 06ee12122f2f78859bac3c6e2eab6049 1794 debian-installer optional apt-setup_0.151.dsc
 50f45f0e22a5fa6ff6ad9df458bb4aef 253924 debian-installer optional apt-setup_0.151.tar.xz
 648f9238ad307a2d8c70fa7183cd2f59 5839 debian-installer optional apt-setup_0.151_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAl0oSbQACgkQ/5FK8MKz
VSBdTxAAgoKjtZDDCXSeLnUcNF855JrNGM8/WTJK7n68nXZ1fn3zcmfDW/wZwape
WfBfYvgN9sMWp8nfRbC0JwmcGNq2KVOKtIpiatdcelzQysvgtD3EsDdAJ+WlZ3eX
P8RrzICcYqA1O0gamHkexNm8Rhn7Zae1n8TUZAFfhrK+T/8+Nag0W822r9bTAVmU
mrLvdH1YEYA6DViK09xdpm4VxToPlKlTU3jkt4ZpmHWJUE3zRSwIZ359FRt8IYrN
FcqkGDrXmD0imi/IJXWhJA0A3rdw5s9ac92ffa4LDE8RnTR+7RArZO+R4/6omqwP
2gLEE42sqrfSrxArHgMN3iZrljlxb0auiGcWQYEIOmo47SCcLz9a/W8YYzYFGsKz
d/gVIrbF7djJBB/rm0ut7WHMU5RzCtQ1zz4M3kTmcFPsVZCWyPEtHqtxT75Gbv/m
OwSxX0qstdW1lSjFInLEQzaYqTaemzd8PfPt6u65IUI37arkjLZKzzYMGPuLIED1
EtEFQDGchYsGMhMLx7fGdc3EmuYmuMlpUguC6r6OT4DafZz/taNSBM1SelpTFwT2
Rp2nA2+snF4VWaf+3+6/sKNt7vpR3DxpCQzDOjsmdM9UvbQPTwobtkduY0KFMcjm
O9af1sykq6WguT00jesDSTIs60Dhaz1ZsTJvEBbCg91U2MRxZMI=
=jyxv
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: