Hi David,
Thanks for your elaborate and helpful comments. You've nailed it. See below.
On Thu, Aug 25, 2016 at 10:27:47AM +0200, David Kalnischkies wrote:
> On Sun, Aug 21, 2016 at 10:07:47AM +0200, Joost van Baal-Ilić wrote:
> > Get:1 http://ftp.nl.debian.org/debian sid InRelease [209 kB]
> > 0% [Working]inside VerifyGetSigners
> > 0% [1 InRelease gpgv 209 kB]Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.7pzp9M
> > /tmp/apt.data.WiZ9eV
> > gpgv exited with status 1
> > Summary:
> > Good:
> > Bad:
> > Worthless:
> > SoonWorthless:
> > NoPubKey:
> > NODATA: no
> > Err:1 http://ftp.nl.debian.org/debian sid InRelease
> > At least one invalid signature was encountered.
>
> The error message is a reaction to the debug message "gpgv exited with
> status 1" as it is supposed to do that only if it encounters a bad sig.
>
> Now, that debug message is kind of a lie as it isn't gpgv which exits
> 1 here, but the wrapping construct apt-key. That can be deducted from
> the summary being empty, so we fail before even calling apt-key.
>
> A common reason for this in recent times is actually a strange /tmp
> directory with misconfigured owner/permissions setup. The reason is
> that apt-key isn't executed with root permissions (and hence allowed to
> do basically everything), but as _apt which isn't privileged and
> therefore effected by owner/permission.
>
> I just experimented a bit and while 'apt-key list' just ignores
> unreadable files, other apt-key operations including verify fail if
> a file in /etc/apt/trusted.gpg.d/ is unreadable for the _apt user, so
> that could it be, too (and would explain Timos "fix").
>
>
> So, perhaps you can redo your tests, but as _apt e.g. with:
> su _apt -s /bin/sh -c 'apt-key list'
This system has:
/etc/passwd:
_apt:x:102:65534::/nonexistent:/bin/false
/etc/group:
nogroup:x:65534:
and, as it's supposed to be:
drwxrwxrwt 4 root root 4096 авг 21 08:44 /tmp/
but also:
(sid)root@janacopoulos:~# find /etc/apt/trusted.gpg.d -ls
4718724 4 drwxr-xr-x 2 root root 4096 авг 21 07:20 /etc/apt/trusted.gpg.d
4718743 16 -rw------- 1 root root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/trustdb.gpg
4718745 16 -rw------- 1 root root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/multistrap.gpg
4938951 4 -rw-r--r-- 1 root root 4084 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
4939151 4 -rw-r--r-- 1 root root 2853 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
4939152 4 -rw-r--r-- 1 root root 3780 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
4939153 4 -rw-r--r-- 1 root root 2851 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
4720919 8 -rw-r--r-- 1 root root 5138 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
4720928 8 -rw-r--r-- 1 root root 5147 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
4720924 4 -rw-r--r-- 1 root root 2775 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
. It still gives
(sid)root@janacopoulos:~# apt update
Hit:1 http://ftp.nl.debian.org/debian sid InRelease
Err:1 http://ftp.nl.debian.org/debian sid InRelease
At least one invalid signature was encountered.
Reading package lists... Done
Building dependency tree
Reading state information... Done
104 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.nl.debian.org/debian sid InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://httpredir.debian.org/debian/dists/sid/InRelease At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.
And running
su _apt -s /bin/sh -c 'apt-key list'
gives
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
Key fingerprint = 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010
uid Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub 4096R/C857C906 2014-11-21 [expires: 2022-11-19]
Key fingerprint = D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906
uid Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub 4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
Key fingerprint = 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1
uid Jessie Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553
uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764
uid Wheezy Stable Release Key <debian-release@lists.debian.org>
NB: this does not give any error or warning message.
Now, running
(sid)root@janacopoulos:~# chown _apt /etc/apt/trusted.gpg.d/trustdb.gpg /etc/apt/trusted.gpg.d/multistrap.gpg
(sid)root@janacopoulos:~# chmod g+r /etc/apt/trusted.gpg.d/trustdb.gpg /etc/apt/trusted.gpg.d/multistrap.gpg
gives
4718743 16 -rw-r----- 1 _apt root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/trustdb.gpg
4718745 16 -rw-r----- 1 _apt root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/multistrap.gpg
and a fixed:
(sid)root@janacopoulos:~# apt update
Get:1 http://ftp.nl.debian.org/debian sid InRelease [209 kB]
Get:2 http://ftp.nl.debian.org/debian sid/main amd64 Packages.diff/Index [27,9 kB]
Get:3 http://ftp.nl.debian.org/debian sid/main Translation-en.diff/Index [27,9 kB]
Get:4 http://ftp.nl.debian.org/debian sid/main amd64 Packages 2016-08-21-0903.33.pdiff [4157 B]
Get:5 http://ftp.nl.debian.org/debian sid/main amd64 Packages 2016-08-21-1517.48.pdiff [8986 B]
[...]
Get:34 http://ftp.nl.debian.org/debian sid/main Translation-en 2016-08-25-0317.44.pdiff [288 B]
Get:34 http://ftp.nl.debian.org/debian sid/main Translation-en 2016-08-25-0317.44.pdiff [288 B]
Fetched 522 kB in 2s (174 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
104 packages can be upgraded. Run 'apt list --upgradable' to see them.
(And running
(sid)root@janacopoulos:~# su _apt -s /bin/sh -c 'apt-key list'
gives
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
Key fingerprint = 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010
uid Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub 4096R/C857C906 2014-11-21 [expires: 2022-11-19]
Key fingerprint = D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906
uid Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub 4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
Key fingerprint = 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1
uid Jessie Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553
uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764
uid Wheezy Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/multistrap.gpg
-------------------------------------
pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-release@lists.debian.org>
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764
uid Wheezy Stable Release Key <debian-release@lists.debian.org>
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553
uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/trustdb.gpg
----------------------------------
pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-release@lists.debian.org>
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764
uid Wheezy Stable Release Key <debian-release@lists.debian.org>
pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553
uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
(The previously silently ignored multistrap keys are now shown too.)
)
Perhaps a note on these more strict requirements on ownership/permissions of
keys in /etc/apt/trusted.gpg.d/ could be added to apt's NEWS.Debian?
Thanks a lot again, Bye,
Joost
Attachment:
signature.asc
Description: Digital signature