On Wed, May 06, 2015 at 09:30:32PM +0800, Paul Wise wrote: > On Wed, May 6, 2015 at 8:46 PM, Patrick Schleizer wrote: > > > "apt-get source package" will show "dpkg-source: warning: failed to > > verify signature" > > > > https://www.whonix.org/wiki/Download#.22apt-get_source_package.22_will_show_.22dpkg-source:_warning:_failed_to_verify_signature.22 > > I still think that is a bug that should be filed, apt should be using > the trusted keyring for verifying source packages, vendor information > should not be involved at all. dpkg-source involves vendor information as the dsc files it is checking the signature for isn't signed by a key known to apt (at least in the general case), but the currently used key of the uploader of said package. Debian provides the large debian-keyring package and dpkg is looking for it to do its bidding (see also dpkg-source manpage), but that isn't failsafe from an apt perspective: The keys used to sign this dsc file could be expired in the meantime, the uploader no longer in the keyring (ressigned DD/DM) or not yet (new DD/DM) or not with this key. Neither is a problem for 'apt-get source' as it establishes a trustchain where the repository creator checked the dsc file. It is an additional check if it can be done and can't hurt (well, it can scare people if one of the cases mentioned above happens or with this warning), but its also scaring me to disable such checks with '--no-check' by default as someone will probably scream at me for doing it when the next security bug is found. I am a bit undecided at the moment… Btw: If you happen to have a package similar to debian-keyring containing the keys of your developers, you could ask dpkg to support it. The scripts/Dpkg/Vendor/ directory in dpkg sources is pretty sparsly populated at the moment… (I am not a dpkg dev through, so I can't help with that, best to ask them). Oh, and only slightly related: APT has a vendor/ directory as well: https://anonscm.debian.org/cgit/apt/apt.git/tree/vendor/README Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature