Bug#757534: apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default
package: src:apt
severity: important
version: 1.0.6
tags: security
"apt-get source" currently shows messages about invalid signatures,
but goes on to extract the source anyway, and the error text is kind
of easy to miss as well.
A more secure default would be to use the --require-valid-signature
option to dpkg-source.
Note that changes here may lead to a lot of ftbfs bugs for packages
with bad sigs, but that's a good thing. Those need a new sig anyway.
Example output for a package with an invalid signature (note easy to
miss gpgv messages):
$ apt-get source debian-archive-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
Skipping already downloaded file 'debian-archive-keyring_2012.4.dsc'
Skipping already downloaded file 'debian-archive-keyring_2012.4.tar.gz'
Need to get 0 B of source archives.
gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./debian-archive-keyring_2012.4.dsc
dpkg-source: info: extracting debian-archive-keyring in
debian-archive-keyring-2012.4
dpkg-source: info: unpacking debian-archive-keyring_2012.4.tar.gz
Reply to: