Bug#816204: live-build: Weak signing key not properly deleted by live-build, remains in /etc/apt/trusted.gpg after building.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#816204: live-build: Weak signing key not properly deleted by live-build, remains in /etc/apt/trusted.gpg after building.
From: David McKinney <mckinney@subgraph.com>
Date: Sun, 28 Feb 2016 18:55:30 +0000
Message-id: <[🔎] 145668573047.3749.8998824842022620760.reportbug@subgraph.unassigned-domain>
Reply-to: David McKinney <mckinney@subgraph.com>, 816204@bugs.debian.org

Package: live-build
Version: 1:20151215
Severity: normal
Tags: patch

Dear Maintainer,

live-build is supposed to delete the temporary '_LB_LOCAL_KEY_EMAIL'
signing key at the end of the 'scripts/build/chroot_archives' script.
However, it fails because the 'apt-key del' command expects a key ID and not 
the email address associated with the key (_LB_LOCAL_KEY_EMAIL). This
was probably missed because the command likes to return "OK" even when
a non-existent key is specified.

The result of this bug is that an insecure (and unneeded) APT signing
key is left in the `/etc/apt/trusted.gpg' keyring.

To address the problem, it is necessary to lookup the key ID for
'_LB_LOCAL_KEY_EMAIL' using the 'apt-key list' command and parse the key
ID from line previous to where the email address for the key appears (a
little tricky).

I have attached a patch that uses a sed statement to extract the key ID
and store it in an environment variable to be used with the 'apt-key
del' command.

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages live-build depends on:
ii  debootstrap  1.0.78

Versions of packages live-build recommends:
ii  apt-utils                       1.2.3
ii  cpio                            2.11+dfsg-5
pn  live-boot-doc                   <none>
pn  live-config-doc                 <none>
pn  live-manual-html | live-manual  <none>
ii  wget                            1.17.1-1+b1

Versions of packages live-build suggests:
pn  debian-keyring  <none>
ii  gpgv            1.4.20-1

-- no debconf information

diff --git a/scripts/build/chroot_archives b/scripts/build/chroot_archives
index 029afe7..8b2546f 100755
--- a/scripts/build/chroot_archives
+++ b/scripts/build/chroot_archives
@@ -762,7 +762,8 @@ EOF
 		# Remove local packages key if it exists
 		if Chroot chroot apt-key list | grep -q ${_LB_LOCAL_KEY_EMAIL}
 		then
-			Chroot chroot apt-key del ${_LB_LOCAL_KEY_EMAIL}
+                        _LB_LOCAL_KEY_ID=`Chroot chroot apt-key list | sed -nr '/'"${_LB_LOCAL_KEY_EMAIL}"'/{x;d;};x;g;s/^.+1024R\/([[:xdigit:]]{8}).+/\1/p'`
+                        Chroot chroot apt-key del ${_LB_LOCAL_KEY_ID} 
 		fi
 
 		# Removing stage file

Reply to:

Prev by Date: ffe_0.3.6-1_amd64.changes ACCEPTED into unstable
Next by Date: Processing of openresolv_3.7.3-1_source.changes
Previous by thread: ffe_0.3.6-1_amd64.changes ACCEPTED into unstable
Next by thread: Processing of openresolv_3.7.3-1_source.changes
Index(es):
- Date
- Thread