Bug#856408: apt: Signed-By does nothing

[micah <micah@riseup.net>]

Package: apt
Version: 1.4~rc2
Severity: important

Hello,

I found the Signed-By option in sources.list(5) and thought this would be useful
to try. I set it up with a fingerprint of the key that signed a repository. I
then did an 'apt update' (or 'apt-get update', I tried both) and things went
well. Then I decided to try and flip some bits in the fingerprint and see what
happened. Turns out that nothing happens, apt proceeded without any complaint
whatsoever. :(

The documentation reads:

    If the option is set, only the key(s) in this keyring or only the keys with
    these fingerprints are used for the apt-secure(8) verification of this
    repository.

I also attempted a package installation and that didn't complain either.

This is the format I used:

deb http://deb.leap.se/debian sid main Signed-By: 2f483BbCE87BEE2F7DFE99661E34A1828E203901

(the key fingerprint there is incorrect).

micah

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2014.3
ii  gpgv                    2.1.18-6
ii  init-system-helpers     1.47
ii  libapt-pkg5.0           1.4~rc2
ii  libc6                   2.24-9
ii  libgcc1                 1:6.3.0-8
ii  libstdc++6              6.3.0-8

Versions of packages apt recommends:
ii  gnupg   2.1.18-6
ii  gnupg1  1.4.21-3
ii  gnupg2  2.1.18-6

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.5-1
ii  dpkg-dev        1.18.22
ii  powermgmt-base  1.31+nmu1
ii  python-apt      1.4.0~beta2

-- no debconf information