[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#662948: apt: most recent upgrade corrupts /usr/share/keyrings/debian-archive-removed-keys.gpg



severity 662948 normal
tags 662948 unreproducible
thanks

Hi Christoph,

On Wed, Mar 7, 2012 at 14:54, Christoph Anton Mitterer
<calestyo@scientia.net> wrote:
> I reproduced this on 4 different sid machines...
> Every time I did
> 1) debsums -asc debian-archive-keyring
>   => all fine
> 2) upgrade apt
> 3) debsums -asc debian-archive-keyring
>   => /usr/share/keyrings/debian-archive-removed-keys.gpg "corrupted"
> 4) reinstalled debian-archive-keyring

I can't reproduce this here with your steps.
Also, gpg doesn't complain about MD5 for me.

Note also that we haven't made a changed in 0.8.15.10 to apt-key.
The last changes were in 0.8.15.6 and 0.8.15.3, but both do not
really interact with the removed keyring.

The 'apt-key update' command is triggered in apt (and debian-archive-keyring)
postinst and works with this keyring, but it only does --list-keys on it -
which should be a read-only operation in gpg…

Does the file /etc/apt/trustdb.gpg exists on your system and has correct
permissions? (600 aka -rw-------) gpg seems to complain about it.

APT doesn't really need it as all keys in the trusted.gpg keyring(s) are
considered fully trusted, but gpg cries havoc if it isn't to its liking
(similar to a secret keyring, but we got right of it in 0.8.15.3 with a bit
of tempfile trickery. For trustdb.gpg is is currently not an option though…).


> Marking this as critical, as it _could_ (though I don't believe it) be security relvant and as it modifies
> data from another package.

I have changed to 'normal' for now as i can't reproduce it and
as an RC bug it would prevent the migration of a security bugfix to
testing…


Best regards

David Kalnischkies



Reply to: