Bug#856408: marked as done (apt: Signed-By does nothing)

To: David Kalnischkies <david@kalnischkies.de>
Subject: Bug#856408: marked as done (apt: Signed-By does nothing)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 28 Feb 2017 18:45:10 +0000
Message-id: <[🔎] handler.856408.D856408.14883074603343.ackdone@bugs.debian.org>
References: <20170228184411.atfqsyyeryduywct@crossbow> <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>

Your message dated Tue, 28 Feb 2017 19:44:11 +0100
with message-id <20170228184411.atfqsyyeryduywct@crossbow>
and subject line Re: Bug#856408: apt: Signed-By does nothing
has caused the Debian Bug report #856408,
regarding apt: Signed-By does nothing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856408
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: Signed-By does nothing
From: micah <micah@riseup.net>
Date: Tue, 28 Feb 2017 12:10:30 -0500
Message-id: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>

Package: apt
Version: 1.4~rc2
Severity: important

Hello,

I found the Signed-By option in sources.list(5) and thought this would be useful
to try. I set it up with a fingerprint of the key that signed a repository. I
then did an 'apt update' (or 'apt-get update', I tried both) and things went
well. Then I decided to try and flip some bits in the fingerprint and see what
happened. Turns out that nothing happens, apt proceeded without any complaint
whatsoever. :(

The documentation reads:

    If the option is set, only the key(s) in this keyring or only the keys with
    these fingerprints are used for the apt-secure(8) verification of this
    repository.

I also attempted a package installation and that didn't complain either.

This is the format I used:

deb http://deb.leap.se/debian sid main Signed-By: 2f483BbCE87BEE2F7DFE99661E34A1828E203901

(the key fingerprint there is incorrect).

micah

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2014.3
ii  gpgv                    2.1.18-6
ii  init-system-helpers     1.47
ii  libapt-pkg5.0           1.4~rc2
ii  libc6                   2.24-9
ii  libgcc1                 1:6.3.0-8
ii  libstdc++6              6.3.0-8

Versions of packages apt recommends:
ii  gnupg   2.1.18-6
ii  gnupg1  1.4.21-3
ii  gnupg2  2.1.18-6

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.5-1
ii  dpkg-dev        1.18.22
ii  powermgmt-base  1.31+nmu1
ii  python-apt      1.4.0~beta2

-- no debconf information

--- End Message ---

--- Begin Message ---

To: micah <micah@riseup.net>, 856408-done@bugs.debian.org
Subject: Re: Bug#856408: apt: Signed-By does nothing
From: David Kalnischkies <david@kalnischkies.de>
Date: Tue, 28 Feb 2017 19:44:11 +0100
Message-id: <20170228184411.atfqsyyeryduywct@crossbow>
In-reply-to: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>
References: <[🔎] 148830183003.22127.17578683418434143805.reportbug@riseup.net>

On Tue, Feb 28, 2017 at 12:10:30PM -0500, micah wrote:
> This is the format I used:
> 
> deb http://deb.leap.se/debian sid main Signed-By: 2f483BbCE87BEE2F7DFE99661E34A1828E203901
> 
> (the key fingerprint there is incorrect).

That is completely invalid syntax and I am a bit surprised apt isn't
exploding due to it… then again its probably thinking those would be
components and can't find them in the Release file.

Anyway: The documentation is trying to tell you that two different
formats for the definition of sources exist nowadays and you are trying
to mix them… not going to work.

deb [signed-by=2f483BbCE87BEE2F7DFE99661E34A1828E203901] http://deb.leap.se/debian sid main

should (not) work as valid one-line-style.

In your sources.list it will be better to use a keyring file through
(your repository ships with one, right?) so that you can change keys
without breaking user setups.

In the Release file option with the same name (which would also have
that deb822 syntax you where trying) you can obviously only mention
fingerprints – but the option is in that case limited to the validness
of the old Release file, so its a tiny bit easier to recover from
mistakes here.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#856408: apt: Signed-By does nothing
  - From: micah <micah@riseup.net>

Prev by Date: Bug#856408: apt: Signed-By does nothing
Next by Date: Re: Why is a package not autoremoved
Previous by thread: Bug#856408: apt: Signed-By does nothing
Index(es):
- Date
- Thread