Bug#558784: apt: re-adds removed keys
Package: apt
Severity: serious
Version: 0.7.24
Justification: overwrites local configuration changes
I have removed some keys from my apt keyring, but it seems like apt
always re-adds them when configuring:
shashlik# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/6070D3A1 2006-11-20 [expired: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>
pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key <debian-release@lists.debian.org>
[...]
shashlik# apt-key remove ADB11277
OK
shashlik# apt-key update
gpg: key 6070D3A1: "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>" not changed
gpg: key ADB11277: public key "Etch Stable Release Key <debian-release@lists.debian.org>" imported
gpg: key BBE55AB3: "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" not changed
gpg: key F42584E6: "Lenny Stable Release Key <debian-release@lists.debian.org>" not changed
gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
gpg: key 6D849617: "Debian-Volatile Archive Automatic Signing Key (5.0/lenny)" not changed
gpg: Total number processed: 6
gpg: imported: 1
gpg: unchanged: 5
gpg: no ultimately trusted keys found
shashlik# apt-key list
/etc/apt/trusted.gpg
--------------------
[...]
pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key <debian-release@lists.debian.org>
shashlik#
from apt.postinst:
case "$1" in
configure)
if ! test -f /etc/apt/trusted.gpg; then
cp /usr/share/apt/debian-archive.gpg /etc/apt/trusted.gpg
fi
apt-key update
;;
so it is actually a double policy violation: removing
/etc/apt/trusted.gpg is a perfectly legal configuration change that apt
must not override. Ditto, removing a key is a perfectly legal
configuration change that apt must not override in its postinst.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: