Bug#578540: APT::Authentication::TrustCDROM "false"; is not working

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#578540: APT::Authentication::TrustCDROM "false"; is not working
From: Andreas Miller <andreas.miller@sec-xtreme.com>
Date: Tue, 20 Apr 2010 19:15:39 +0200
Message-id: <[🔎] 20100420171539.3312.67439.reportbug@ersatznb>
Reply-to: Andreas Miller <andreas.miller@sec-xtreme.com>, 578540@bugs.debian.org

Package: apt
Version: 0.7.20.2+lenny1
Severity: normal

Hello,

when I set APT::Authentication::TrustCDROM "false"; I can import the original cdrom with apt-cdrom add.

If I try to import a signed CD-ROM I get the following error:

# apt-cdrom add
Using CD-ROM mount point /cdrom/
Unmounting CD-ROM
Waiting for disc...
Please insert a Disc in the drive and press enter
Mounting CD-ROM...
Identifying.. [2b17ce42747853c1d4d0119cebd5d574-2]
Scanning disc for index files..
Found 1 package indexes, 0 source indexes, 0 translation indexes and 1 signatures
Found label 'Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53'
This disc is called:
'Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53'
Copying package lists...gpgv: Signature made Tue 20 Apr 2010 06:17:29 PM CEST using RSA key ID E0E2DBA4
gpgv: Can't check signature: public key not found
E: Sub-process gpgv returned an error code (2)
W: Signature verification failed for: /cdrom/dists/lenny/Release.gpg

I have to unmount the cdrom now.
Blocking is the correct behaviour, but I have to unmount manual.

# umount /media/cdrom0

Then I import the signing key used to sign the CD-ROM into the keyring of the trusted repositories i.e. /etc/apt/trusted.gpg

# gpg -a --export 548ED131 | apt-key add -

# apt-cdrom add
Using CD-ROM mount point /cdrom/
Unmounting CD-ROM
Waiting for disc...
Please insert a Disc in the drive and press enter
Mounting CD-ROM...
Identifying.. [2b17ce42747853c1d4d0119cebd5d574-2]
Scanning disc for index files..
Found 1 package indexes, 0 source indexes, 0 translation indexes and 1 signatures
Found label 'Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53'
This disc is called:
'Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53'
Copying package lists...gpgv: Signature made Tue 20 Apr 2010 06:17:29 PM CEST using RSA key ID 548ED131
gpgv: Good signature from "secXtreme GmbH Debian Archive Signing Key (2009) <debsign@sec-xtreme.com>"
Reading Package Indexes... Done
Writing new source list
Source list entries for this disc are:
deb cdrom:[Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53]/ lenny main
Unmounting CD-ROM...
Repeat this process for the rest of the CDs in your set.

If I import an unsigned CD-ROM it is always imported.
Why does apt-cdrom not prevent the import of an unsigned CD-ROMs?

Regards
Andreas

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Acquire "";
APT::Acquire::Translation "environment";
APT::Authentication "";
APT::Authentication::TrustCDROM "false";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^linux-image.*";
APT::NeverAutoRemove:: "^linux-restricted-modules.*";
APT::Cache-Limit "100000000";
APT::Periodic "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Update "";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:::: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";
APT::Archives "";
APT::Archives::MaxAge "30";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "500";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Acquire "";
Acquire::Pdiffs "false";
Acquire::ForceHash "sha256";
Unattended-Upgrade "";
Unattended-Upgrade::Allowed-Origins "";
Unattended-Upgrade::Allowed-Origins:: "Debian stable";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then  touch /var/lib/update-notifier/dpkg-run-stamp; fi";

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --

deb cdrom:[Debian GNU/Linux 5.0.4 _Lenny_ - Official i386 CD Binary-1 20100131-18:53]/ lenny main
deb http://security.debian.org/ lenny/updates main non-free
deb http://ftp.de.debian.org/debian/ lenny main non-free contrib
#deb http://ftp.de.debian.org/debian/ testing main non-free contrib
#deb http://ftp.de.debian.org/debian/ experimental main non-free contrib
deb-src http://ftp.de.debian.org/debian/ lenny main

deb-src http://security.debian.org/ lenny/updates main

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main









-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring      2009.01.31   GnuPG archive keys of the Debian a
ii  libc6                       2.7-18lenny2 GNU C Library: Shared libraries
ii  libgcc1                     1:4.3.2-1.1  GCC support library
ii  libstdc++6                  4.3.2-1.1    The GNU Standard C++ Library v3

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc               <none>             (no description available)
ii  aptitude              0.4.11.11-1~lenny1 terminal-based package manager
ii  bzip2                 1.0.5-1            high-quality block-sorting file co
ii  dpkg-dev              1.14.29            Debian package development tools
ii  lzma                  4.43-14            Compression method of 7z format in
ii  python-apt            0.7.7.1+nmu1       Python interface to libapt-pkg
ii  synaptic              0.62.1+nmu1        Graphical package manager

-- no debconf information

Reply to:

Prev by Date: Bug#578514: apt: fails to upgrade a single package without explicit version specification
Next by Date: --ebay--20
Previous by thread: Bug#578514: marked as done (apt: fails to upgrade a single package without explicit version specification)
Next by thread: --ebay--20
Index(es):
- Date
- Thread