Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
Control: retitle -1 apt: Please document keyring format requirements
Hi!
On Fri, 2016-11-18 at 14:16:12 +0100, Julian Andres Klode wrote:
> Control: severity -1 wishlist
> On Fri, Nov 18, 2016 at 01:58:18PM +0100, Guillem Jover wrote:
> > Package: apt
> > Version: 1.3.1
> > Severity: important
> The format we expect is the one generated by --export (standard concatenated
> key packets), not the one used for creating keyrings by importing things.
>
> We require that key files can be concatenated, otherwise we would have
> to depend on gnupg to merge the key files for verification purposes.
Ah! Ok, makes sense, I'm happy to retract my request and change it
instead to just document the current keyring requirements. Stating
something like the above somewhere in apt would be enough for me, as
it seems other people have tripped over this already. I'm filing a
bug against debian-ports-archive-keyring for example.
On Sun, 2016-11-20 at 13:23:13 +0100, David Kalnischkies wrote:
> On Fri, Nov 18, 2016 at 01:58:18PM +0100, Guillem Jover wrote:
> > [ Setting as important as this is GnuPG default, but if you think this
> > is a new feature or similar please just change it to wishlist. ]
> […]
> > It seems like apt (and its gpgv method) do not support the new GnuPG
> > keybox keyring format? Which is the one currently generated by default
> > with newer GnuPG versions. A simple session to demonstrate:
>
> The (non)support of keybox was topic back then I worked on the gpg2 last
> year. The problem is with the goals/limitations we have: We want to be
> gpgv only (Debian maintainer approves), a single --keyring should be
> passed to it (gpg has a hardcoded limit of 40 ATM and upstream talks
> about dropping that to 1 some day) and we want to support 'classic'
> (1.x) and 'modern' (2.x).
>
> While talking with Daniel Kahn Gillmor about this he actually came up
> with the suggestion that we 'cat' the 'simple' keyring files together as
> those aren't going away, use that and ignore keybox. Also, back then
> gpgv{,2} wasn't supporting keybox and it was unclear if it would
> (manpage suggests now that it does – at least the modern variant).
> I acknowledge that this binary format stuff is annoying and hence
> I suggest something completely different: We try to abolish the binary
> formats in the external interface. I thought that would be hard, but
> I recently learned from Johannes Schauer/sbuild that there it is
> actually trivial to convert an armored key to the 'simple' keyring
> format (= the binary format we accept) with another of Daniels shell
> tricks [0].
>
> Beside the practical problems of implementing keybox support as an
> archive admin you can't use it anyhow until all your users have an apt
> version installed supporting it and even then you tend to wait for the
> last version without support reaching end-of-life (in your support view)
> to have an easier time, so effective usage is likely still years away…
> – enough time to invent keystash (= the future/better keybox) to restart
> the cycle… The *.asc usage will take just as long to reach critical
> mass, but I have some hope for that format to not be changed and
> text-based formats tend to be easier to work with for humans.
Ah right, this all looks very sound and it would probably be a very
good direction to take. So yeah, let's definitely ignore keybox here.
> I have a patch for this mostly done which I am going to merge if I don't
> hear people complain bigtime about it and would consider this report
> +wontfix then. Any comments?
Instead of wontfixing, as stated above, consider this as a simple
documentation request then. :)
Thanks,
Guillem
Reply to: