Bug#844724: apt: Does not seem to support new GnuPG keybox keyring format
Package: apt
Version: 1.3.1
Severity: important
[ Setting as important as this is GnuPG default, but if you think this
is a new feature or similar please just change it to wishlist. ]
Hi!
It seems like apt (and its gpgv method) do not support the new GnuPG
keybox keyring format? Which is the one currently generated by default
with newer GnuPG versions. A simple session to demonstrate:
,--- (line-wrapped for easier readability) ---
# cd /etc/apt/trusted.gpg.d
# file debian-archive-jessie-automatic.gpg
debian-archive-jessie-automatic.gpg: GPG key public ring,
created Fri Nov 21 21:01:13 2014
# mv debian-archive-jessie-automatic.gpg ~
# gpg --no-default-keyring --no-options --no-auto-check-trustdb \
--keyring ./debian-archive-jessie-automatic.gpg --import \
<~/debian-archive-jessie-automatic.gpg
gpg: keybox './debian-archive-jessie-automatic.gpg' created
gpg: key 7638D0442B90D010: public key "Debian Archive Automatic Signing
Key (8/jessie) <ftpmaster@debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
# file debian-archive-jessie-automatic.gpg
debian-archive-jessie-automatic.gpg: GPG keybox database version 1,
created-at Fri Nov 18 12:50:26 2016,
last-maintained Fri Nov 18 12:50:26 2016
# apt update
Hit:1 https://cdn-aws.deb.debian.org/debian unstable InRelease
Err:1 https://cdn-aws.deb.debian.org/debian unstable InRelease
The following signatures couldn't be verified because the public key is
not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Reading package lists... Done
Building dependency tree
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: An error occurred during the signature verification.
The repository is not updated and the previous index files will be used.
GPG error: https://cdn-aws.deb.debian.org/debian unstable InRelease:
The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch https://deb.debian.org/debian/dists/unstable/InRelease
The following signatures couldn't be verified because the public key is
not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Some index files failed to download. They have been ignored, or
old ones used instead.
`---
Although I've trimmed it down here, it seems like one single keybox
formatted keyring makes the whole verification fail for all other
keyrings.
Thanks,
Guillem
Reply to: