Your message dated Tue, 28 Feb 2017 19:44:11 +0100 with message-id <20170228184411.atfqsyyeryduywct@crossbow> and subject line Re: Bug#856408: apt: Signed-By does nothing has caused the Debian Bug report #856408, regarding apt: Signed-By does nothing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 856408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856408 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Signed-By does nothing
- From: micah <micah@riseup.net>
- Date: Tue, 28 Feb 2017 12:10:30 -0500
- Message-id: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>
Package: apt Version: 1.4~rc2 Severity: important Hello, I found the Signed-By option in sources.list(5) and thought this would be useful to try. I set it up with a fingerprint of the key that signed a repository. I then did an 'apt update' (or 'apt-get update', I tried both) and things went well. Then I decided to try and flip some bits in the fingerprint and see what happened. Turns out that nothing happens, apt proceeded without any complaint whatsoever. :( The documentation reads: If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. I also attempted a package installation and that didn't complain either. This is the format I used: deb http://deb.leap.se/debian sid main Signed-By: 2f483BbCE87BEE2F7DFE99661E34A1828E203901 (the key fingerprint there is incorrect). micah -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.115 ii debian-archive-keyring 2014.3 ii gpgv 2.1.18-6 ii init-system-helpers 1.47 ii libapt-pkg5.0 1.4~rc2 ii libc6 2.24-9 ii libgcc1 1:6.3.0-8 ii libstdc++6 6.3.0-8 Versions of packages apt recommends: ii gnupg 2.1.18-6 ii gnupg1 1.4.21-3 ii gnupg2 2.1.18-6 Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.8.5-1 ii dpkg-dev 1.18.22 ii powermgmt-base 1.31+nmu1 ii python-apt 1.4.0~beta2 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: micah <micah@riseup.net>, 856408-done@bugs.debian.org
- Subject: Re: Bug#856408: apt: Signed-By does nothing
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Tue, 28 Feb 2017 19:44:11 +0100
- Message-id: <20170228184411.atfqsyyeryduywct@crossbow>
- In-reply-to: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>
- References: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>
On Tue, Feb 28, 2017 at 12:10:30PM -0500, micah wrote: > This is the format I used: > > deb http://deb.leap.se/debian sid main Signed-By: 2f483BbCE87BEE2F7DFE99661E34A1828E203901 > > (the key fingerprint there is incorrect). That is completely invalid syntax and I am a bit surprised apt isn't exploding due to it… then again its probably thinking those would be components and can't find them in the Release file. Anyway: The documentation is trying to tell you that two different formats for the definition of sources exist nowadays and you are trying to mix them… not going to work. deb [signed-by=2f483BbCE87BEE2F7DFE99661E34A1828E203901] http://deb.leap.se/debian sid main should (not) work as valid one-line-style. In your sources.list it will be better to use a keyring file through (your repository ships with one, right?) so that you can change keys without breaking user setups. In the Release file option with the same name (which would also have that deb822 syntax you where trying) you can obviously only mention fingerprints – but the option is in that case limited to the validness of the old Release file, so its a tiny bit easier to recover from mistakes here. Best regards David KalnischkiesAttachment: signature.asc
Description: PGP signature
--- End Message ---