[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question about Debian archive signing keys

Andrew

In fact, the date you are pointing out does not matter, because it is filesystem metadata.
On my computer, jessie and stretch are older, probably the date when I reinstalled my computer. Have a look:

ls -l /etc/apt/trusted.gpg.d/
total 60
-rw-r--r-- 1 root root 8132 avril 23  2019 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 avril 23  2019 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 avril 23  2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 sept.  3  2017 debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 sept.  3  2017 debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 sept.  3  2017 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7443 sept.  3  2017 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 sept.  3  2017 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 sept.  3  2017 debian-archive-stretch-stable.gpg

My question is not about local GPG files and the verifying process, but about the signing process of archive metadata files on server side, through an example ("Release" file).
You said "The release has to be signed by matching keys", OK, they match... the old stable, and not the stable one! I agree, needed keys are present and APT works well.

This seems not to be a significant problem, but I wonder if there is a problem (more a configuration mistake) in keys used to sign Buster archive metadata.
Still here are my question!

Regards


Le 03/08/2020 à 19:26, Andrew Cater a écrit :
The release has to be signed by matching keys or apt and aptitude will fail with warning messages every time you install a package.

/etc/apt/trusted.gpg here contains, for example - the output of ls -al

total 68
drwxr-xr-x 2 root root 4096 Jun  6 17:35 .
drwxr-xr-x 7 root root 4096 Jun  6 17:45 ..
-rw-r--r-- 1 root root 8132 Apr 23  2019 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23  2019 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23  2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 Apr 23  2019 debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 Apr 23  2019 debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 Apr 23  2019 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23  2019 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 Apr 23  2019 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23  2019 debian-archive-stretch-stable.gpg

All keys from the same date.





On Mon, Aug 3, 2020 at 4:24 PM F!nTcH <fintch@fintch.org> wrote:
Hello everybody

I would like to share my observations and ask you if there is something
wrong about key used to sign the Buster Debian Archive, or if I missed
something in all explanations I've read all around the Internet.

Let's do some commands (not optimized at all, those are for large
explanation only) :

$ mkdir tmp
$ cd tmp
$ mkdir buster
$ mkdir stretch
$ cd buster
$ wget http://ftp.fr.debian.org/debian/dists/buster/Release
$ wget http://ftp.fr.debian.org/debian/dists/buster/Release.gpg
$ cd ../stretch
$ wget http://ftp.fr.debian.org/debian/dists/stretch/Release
$ wget http://ftp.fr.debian.org/debian/dists/stretch/Release.gpg

At this point, we have both Buster and Stretch "Release" file, and the
associated GPG signature.

While we are in stretch folder, let's do GPG verification :

$ gpgv --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg Release.gpg
Release
gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
gpgv:                avec la clef RSA
126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(8/jessie) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 18 juil. 2020 12:56:21 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org> »

All is OK. 3 public keys are used : Jessie Automatic, Stretch Automatic
and Stretch Stable. All seems good.

But, if I do the same with Buster, it fails !

$ cd ../buster
$ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
--keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
--keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
Release.gpg Release
gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
gpgv:                avec la clef RSA
0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Impossible de vérifier la signature : Pas de clef publique

The last key seems wrong. We have good signature for Stretch Automatic
and Buster Automatic but not for Buster Stable. A quick look shows up
that the missing key is in fact Stretch Stable, according to fingerprint.

Success if I change command line with correct keyring.

$ gpgv --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg Release.gpg
Release
gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
gpgv:                avec la clef RSA
0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org> »

So my question is really simple : is it correct to sign Buster Archive
"Release" file with Stretch Stable key ? In my opinion, it should be
done with Buster Stable key.

But, as I said at first, I may miss something.

Anyway, thanks a lot for your great job !

Regards


Reply to: