[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: dpkg vendor information

On Thu, 01 Aug 2013 19:30:51 +0000
adrelanos <adrelanos@riseup.net> wrote:

> If /etc/dpkg/origins/default does not include "Vendor: Debian",
> apt-get source verification breaks when running "apt-get source
> package".
> gpgv: Can't check signature: public key not found

This is expected behaviour - note that it's not marked as an error. Just because a program says something can't be done, does not mean that this is a bug.

> gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file

This is the public keyring of the user running the apt command not the SecureApt keys in /etc/apt/ which determine whether the download itself is reliable. It is unlikely that everyone unpacking Debian source packages has the entire Debian keyring in their personal gnupg home directory and even if they did, that doesn't account for old packages signed with different keys etc. Only ftpmaster actually needs to have all keys in a specified keyring, even then, it's not a personal keyring and apt-get source is not the way that the signature is verified.

Few people ever need to care about the signature on the .dsc - what matters is the signature on the Release file on the site from which you download the .dsc as this includes a checksum on the .dsc matching the checksum made by the people who *do* need to check the signature on the .dsc. Nobody can change the contents of the source package without breaking the checksum listed in the Release file and therefore breaking the signature on that Release file.

> open error gpgv: Signature made Sun Feb 24 16:28:50 2013 UTC using
> RSA key ID 7E798989 gpgv: Can't check signature: public key not found
> dpkg-source: warning: failed to verify signature

The best way to automate this is to get the name of the .dsc file in advance, only ask apt to download the source package (it will use SecureApt for this step and it's *this* bit which you should be relying upon) and run an explicit dpkg-source -x on that .dsc file.

dsc_file=`apt-cache showsrc package|grep -m1 dsc|cut -d' ' -f4`
apt-get -d source <package>=<version>
dpkg-source -x ./$dsc_file

You can add --no-check to the dpkg-source command if you want to.

The problem with apt-cache showsrc is that it will show all available versions - filtering that down to the version you want is left as an exercise for the reader. apt-get -d source will get the version you specify (with =) or the version for the suite you specify (with /$suite) or you can control which sources are available to the apt-get command via options to apt-get update.


Neil Williams

Attachment: signature.asc
Description: PGP signature

Reply to: