Re: apt ignoring check-valid-until flag

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, Debian Development <debian-devel@lists.debian.org>
Subject: Re: apt ignoring check-valid-until flag
From: Calum McConnell <calumlikesapplepie@gmail.com>
Date: Wed, 16 Dec 2020 18:11:42 -0500
Message-id: <[🔎] 9baf7d6609e695b62445fae9a534fbd378c18ee3.camel@gmail.com>
In-reply-to: <[🔎] 6500327c-f66b-072e-d757-970f285281e0@physik.fu-berlin.de>
References: <[🔎] 6500327c-f66b-072e-d757-970f285281e0@physik.fu-berlin.de>

On Wed, 2020-12-16 at 19:06 +0100, John Paul Adrian Glaubitz wrote:
> Hi!
> 
> For some reason, apt is ignoring the "check-valid-until" flag for me, no
> matter whether
> I'm passing that option in /etc/apt/sources.list or on the command line
> (see below).
> 
> Does anyone have any idea what I'm missing?
> 
> PS: Please CC me, I'm not subscribed to debian-devel.
> 
> Thanks,
> Adrian
> 
> ========================================================================
> ===============
> 
> (sid-powerpc-sbuild2)root@kapitsa:/# cat /etc/apt/sources.list
> # binary default

> [...]
> #deb [check-valid-until=no]  http://snapshot.debian.org/archive/debian-ports/20190428T083118Z/ unstable main
> 
> deb [check-valid-until=no]  http://snapshot.debian.org/archive/debian-ports/20190428T083118Z/ unstable main
> deb [check-valid-until=no]  http://snapshot.debian.org/archive/debian-ports/20201014T042941Z/ unstable main
> 
> ##deb [arch=all]  http://snapshot.debian.org/archive/debian/20190731T151946Z/ unstable main
> 
> [...]
>
> Hit:10 http://ftp.ports.debian.org/debian-ports experimental InRelease
> Err:7 http://snapshot.debian.org/archive/debian-ports/20190428T083118Z unstable InRelease                                                                                                                                                  
>   The following signatures were invalid: EXPKEYSIG DA1B2CEA81DCBC61 Debian Ports Archive Automatic Signing Key (2019) < ftpmaster@ports-master.debian.org>
> Reading package lists... Done
> W: GPG error:  http://snapshot.debian.org/archive/debian-ports/20190428T083118Z unstable InRelease: The following signatures were invalid: EXPKEYSIG DA1B2CEA81DCBC61 Debian Ports Archive Automatic Signing Key (2019) < ftpmaster@ports-master.debian.org>
> E: The repository ' http://snapshot.debian.org/archive/debian-ports/20190428T083118Z unstable InRelease' is not signed.
> N: Updating from such a repository can't be done securely, and is therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user configuration details.

There's something else happening here.  See, the error isn't for a
repository that's lapsed its check-valid-until date: That error would look
like this:
> E: Release file for 
> http://snapshot.debian.org/archive/debian/20190428T083118Z/dists/unstable/InRelease
> is expired (invalid since 591d 20h 48min 38s). Updates for this
> repository will not be applied.

Instead, the issue is that the GPG key is also expired.  Debian-ports has
a much shorter duration on their keys than the main archive: only a year.
That means apt-secure can't verify it, and thus considers it insecure, and
refuses to update.

The solution is to use allow-insecure=yes as well.

Calum

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: apt ignoring check-valid-until flag
  - From: Calum McConnell <calumlikesapplepie@gmail.com>

References:
- apt ignoring check-valid-until flag
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Prev by Date: Re: apt ignoring check-valid-until flag
Next by Date: Re: apt ignoring check-valid-until flag
Previous by thread: Re: apt ignoring check-valid-until flag
Next by thread: Re: apt ignoring check-valid-until flag
Index(es):
- Date
- Thread