[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#345823: apt multiple sig behavior



FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>"
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"

now if I remove the old key:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"
zsh: exit 2     gpgv --keyring ~/trusted.gpg Release.gpg Release

So multiply signed Release files will also break d-i, which uses gpg
as above.

debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.

I'm working on making d-i use the same technique as debootstrap now.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature


Reply to: