Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key

To: timeless <timeless@gmail.com>, 934076@bugs.debian.org
Subject: Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 7 Aug 2019 09:41:14 +0200
Message-id: <[🔎] 20190807093837.GA22103@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 934076@bugs.debian.org
In-reply-to: <[🔎] CACsW8eEdg8iAZruw=WkhGrG1hh1Nb9iWOM-y_8c2p1=p0kP-Mw@mail.gmail.com>
References: <[🔎] CACsW8eEdg8iAZruw=WkhGrG1hh1Nb9iWOM-y_8c2p1=p0kP-Mw@mail.gmail.com> <[🔎] CACsW8eEdg8iAZruw=WkhGrG1hh1Nb9iWOM-y_8c2p1=p0kP-Mw@mail.gmail.com>

Control: reassign -1 gpgv

On Tue, Aug 06, 2019 at 02:22:00PM -0400, timeless wrote:
> Package: apt
> Version: 1.8.2
> Tags: minor
> 
> I had manually used
> ```
> apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 96B3EE5F29111145
> || curl "
> https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x96B3EE5F29111145"; |
> apt-key add -
> ```
> 
> (For reference, the equivalent content is available from:
> https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/9885e188a10e30088813c32270f05f7583875619/so-setup-network.sh#L638-L689
> )
> which adds a key to `/etc/apt/trusted.gpg` -- I did this a while ago.
> 
> The key I had for this has expired:
> 
> ```
> apt-get update
> ...
> Err:11 https://packages.wazuh.com/3.x/apt stable InRelease
>   The following signatures were invalid: EXPKEYSIG 96B3EE5F29111145
> Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> ```
> 
> ** It would have been somewhat helpful if the message said "expired"
> instead of "invalid".
> 
> I went and checked (or could have checked):
> ```
> apt-key list
> /etc/apt/trusted.gpg
> --------------------
> ...
> pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> ...
> ```
> 
> I ran:
> ```
> curl https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo tee
> /etc/apt/trusted.gpg.d/wazuh.asc
> apt-get update
> ```
> 
> And I still got a complaint about EXPKEYSIG for 96B3EE5F29111145
> 
> ```
> apt-key list
> /etc/apt/trusted.gpg
> --------------------
> ...
> pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> ...
> 
> /etc/apt/trusted.gpg.d/wazuh.asc
> --------------------------------
> pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]
> ```
> 
> Expected results:
> If a key exists twice, once w/ an old expiry, and once w/ a newer expiry,
> accept the newer expiry.
> Alternatively, if a key exists twice, w/ different expiries and apt really
> doesn't want to deal w/ it, it should explain about the mismatch (apt-key
> list didn't complain that I had two keys for the same key w/ different
> expiration dates).

apt has no knowledge about your available keys - all key files (or specified
ones) are concatenated and passed as a keyring to gpgv. gpgv then tells us
which keys signed data and if they are valid.

> 
> For reference, I can trigger it w/ deterministic file names like:
> ```
> apt-key list
> /etc/apt/trusted.gpg
> --------------------
> pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
>       067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
> uid           [ unknown] Debian Stable Release Key (9/stretch) <
> debian-release@lists.debian.org>
> 
> /etc/apt/trusted.gpg.d/000-wazuh-expired.asc
> --------------------------------------------
> pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> 
> pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]
> 
> /etc/apt/trusted.gpg.d/001-wazuh-updated.asc
> --------------------------------------------
> pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]
>       0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145
> uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>
> sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]
> ```
> 
> Note: it's possible to use `apt-key del 96B3EE5F29111145`, but this
> unfortunately also deleted my updated key, which was slightly frustrating.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

References:
- Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
  - From: timeless <timeless@gmail.com>

Prev by Date: Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
Next by Date: Processed: Re: Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
Previous by thread: Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
Next by thread: Processed: Re: Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key
Index(es):
- Date
- Thread