Bug#872543: apt does not honor trusted=yes from sources.list
On Fri, Aug 18, 2017 at 10:19:28AM +0000, Adam Cecile wrote:
> Package: apt
> Version: 1.4.7
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to Stretch some third-parties repositories do not work
> anymore. GPG error occurs even with trusted=yes in sources.list so it
> does not look normal to me !
>
> Manpage says:
> The value yes tells APT always to consider this source as trusted, even
> if it doesn't pass authentication checks. It disables parts of
> apt-secure(8), and should therefore only be used in a local
> and trusted context (if at all) as otherwise security is
> breached
>
> Consider the following sources.list entry:
> deb [trusted=yes] http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 contrib
>
> And run the following command:
> apt -o Debug::Acquire::gpgv=true update
>
> Return the following output and repo is unusable:
>
> Get:1 http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease [1,929 B]
> 0% [Working]inside VerifyGetSigners
> 0% [1 InRelease gpgv 1,929 B]Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.3Y71D5 /tmp/apt.data.TVrsjB
> Read: [GNUPG:] NEWSIG
>
> Read: [GNUPG:] KEY_CONSIDERED F36A89E33CC1BD0F71079007327574EE02A818DD 0
>
> Read: [GNUPG:] SIG_ID WPC5Smlyce1ONPbTrr83WPGuTGo 2017-07-13 1499945124
>
> Read: [GNUPG:] KEY_CONSIDERED F36A89E33CC1BD0F71079007327574EE02A818DD 0
>
> Read: [GNUPG:] GOODSIG 327574EE02A818DD Cloudera Apt Repository
>
> Got GOODSIG 327574EE02A818DD !
> Read: [GNUPG:] VALIDSIG F36A89E33CC1BD0F71079007327574EE02A818DD 2017-07-13 1499945124 0 4 0 17 2 01 F36A89E33CC1BD0F71079007327574EE02A818DD
>
> Got untrusted VALIDSIG, key ID: F36A89E33CC1BD0F71079007327574EE02A818DD
> gpgv exited with status 0
> Summary:
> Good:
> Bad:
> Worthless: F36A89E33CC1BD0F71079007327574EE02A818DD,
> SoonWorthless:
> NoPubKey:
> NODATA: no
> Err:1 http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease
> The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
> W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD
> W: Failed to fetch http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh/dists/jessie-cdh5/InRelease The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD
> W: Some index files failed to download. They have been ignored, or old ones used instead.
The problem here is that you had this working fine before, and now removed the key or something,
and hence the repository switched from trusted to untrusted, which apt refused. But there is no
issue with trusted=yes not working in general.
$ apt update -o Dir=$PWD
Get:1 http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease [1.929 B]
Ign:1 http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease
Get:2 http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5/contrib amd64 Packages [27,5 kB]
Fetched 29,5 kB in 0s (73,9 kB/s)
Reading package lists... Done
Building dependency tree... Done
All packages are up to date.
W: GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 327574EE02A818DD
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: