Bug#877731: apt-secure: apt-secure doesn't know how to handle armored keyfiles

To: submit@bugs.debian.org
Subject: Bug#877731: apt-secure: apt-secure doesn't know how to handle armored keyfiles
From: kwadronaut - debian <kwadronaut-debian@riseup.net>
Date: Wed, 04 Oct 2017 21:54:16 +0000
Message-id: <[🔎] 51eab36ba8d6a7bac807895ec9c8df1a@riseup.net>
Reply-to: kwadronaut-debian@riseup.net, 877731@bugs.debian.org

Package: apt
Version: 1.4.7
Severity: normal

Dear Maintainer,

when adding an old-style armored key, apt fails to use this. If you dump
such a keyfile inside etc/apt/trusted.gpg.d/ (or
/usr/share/keyrings/name.gpg, with accompanying sources file) apt-update
will choke because it thinks the public key isn't available.

gpg --export -a --export-options export-minimal 1646B01B86E50310
>/usr/share/keyrings/yarn-keyring.gpg
apt update
W: An error occurred during the signature verification. The repository
is not updated and the previous index files will be used. GPG error:
https://dl.yarnpkg.com/debian stable InRelease: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY
E074D16EB6FF4DE3
W: Failed to fetch https://dl.yarnpkg.com/debian/dists/stable/InRelease 
The following signatures couldn't be verified because the public key is
not available: NO_PUBKEY E074D16EB6FF4DE3
W: Some index files failed to download. They have been ignored, or old
ones used instead.

I think this should at least be more obvious in the manpage that a
simple armored keyfile will not be taken into account and only keyrings
matter. This works:

gpg --export --export-options export-minimal 1646B01B86E50310
>/usr/share/keyrings/yarn-keyring.gpg


-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --

-- /etc/apt/sources.list.d/yarn.list --

deb [signed-by=/usr/share/keyrings/yarn-keyring.gpg]
https://dl.yarnpkg.com/debian/ stable main

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2017.5
ii  gpgv                    2.1.18-6
ii  init-system-helpers     1.48
ii  libapt-pkg5.0           1.4.7
ii  libc6                   2.24-11+deb9u1
ii  libgcc1                 1:6.3.0-18
ii  libstdc++6              6.3.0-18

Versions of packages apt recommends:
ii  gnupg  2.1.18-6

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.18.24
pn  powermgmt-base               <none>
pn  python-apt                   <none>

-- no debconf information

Reply to:

Follow-Ups:
- Processed: Re: apt-secure: apt-secure doesn't know how to handle armored keyfiles
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#877731: marked as done (apt-secure: apt-secure doesn't know how to handle armored keyfiles)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#877668: if all "Hit"s, then apt-get update should return immediately
Next by Date: Bug#876508: apt-secure: apt-secure doesn't know how to handle armored keyfiles
Previous by thread: Bug#877668: if all "Hit"s, then apt-get update should return immediately
Next by thread: Processed: Re: apt-secure: apt-secure doesn't know how to handle armored keyfiles
Index(es):
- Date
- Thread