Hi, the apt team currently receives bugreports with (for users) strange apt errors which turn out to be caused by keybox files in trusted.gpg{,.d} as apt-key can't deal with them for plenty of reasons (including that gpgv2 couldn't for a while, we need/want to support gpgv1 & gpgv2, 40 keyrings limit, …). Internally apt-key cats all the files it assumes would be 'old-style' keyrings together to a big single keyring as suggested by dkg a while ago. That fails hard of course if a keybox is somewhere in that mix. This is documented in the manpage, but of course old setups which suddenly produce keybox (as it is the default in gnupg) don't read new manpage sections… So, the easiest solution would be to let apt-key skip over those baddies, but for that we would need a predictable way of identifying either and here it gets complicated as 'old-style' has "no" magic while a keybox has a "late" magic (= appearing after length, type and version makes me fear that version+1 will have a different one/place maybe). Then I informally brought that up in a only slightly related discussion a while back I got also informally the advice to whitelist old-style assuming that false-positives are not very likely: | You can do this by inspecting the first octet of the ostensible binary | keyring for one of these three values: | | * 0x98 -- old-format OpenPGP public key packet, up to 255 octets | * 0x99 -- old-format OpenPGP public key packet, 256-65535 octets | * 0xc6 -- new-format OpenPGP public key packet, any length That sounds better in my ears than blacklisting keyboxes, but risks false-negatives if that isn't catching all which would be sad, so before I go about implementing this I would like to ask more formally (& public) if this is the best option we have & keeps us in the "reasonably supportable" set in the opinion of the gnupg maintainers. Bonus points if there exists already [shell] code to that effect we could reuse or at least take inspiration from. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature