Package: apt
Version: 0.6.46.4
Severity: grave
Tags: d-i
All d-i installs are broken today, because a new version of
debian-archive-keyring exposed a bug in apt-key, causing it to remove
the wrong key during a debootstrap, leaving the system without the
current etch automatic signing key.
This illistrates the bug:
$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys | grep ^pub
pub:e:1024:1:6FFA8EF91DB114E0:2004-01-15:2005-01-27::-:Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>::sc:
pub:e:1024:17:F1D53D8C4F368D5D:2005-01-31:2006-01-31::-:Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>::sca:
pub:-:1024:17:E415B2B4B5F5BBED:2005-04-24:::-:Debian AMD64 Archive Key <debian-amd64@lists.debian.org>::scESC:
fjp@strider:~$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys | grep ^pub | cut -d: -f5
6FFA8EF91DB114E0
F1D53D8C4F368D5D
E415B2B4B5F5BBED
fjp@strider:~$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys| awk '/^pub/{FS=":";print $5}'
Key
F1D53D8C4F368D5D
E415B2B4B5F5BBED
The last command, with awk, is what apt-key does, and note that it does
not output the right thing. Apparently the FS setting only takes effect after
the first match, so awk outputs the 5th _word_ the first time, which happens
to be "key".
I haven't fully analised how this causes apt-key to remove the wrong thing
from the keyring, but it apparently does.
--
see shy jo
Attachment:
signature.asc
Description: Digital signature