[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

Control: severity -1 minor

On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote:
> Hi,
> 
> I'm running a (quite) up to date testing and recently I stumbled upon
> 
>   $ sudo apt update
>   ...
>   Err:8 http://fam-tille.de/debian local InRelease
>   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
>   ...
>   W: GPG error: http://fam-tille.de/debian local InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
>   E: The repository 'http://fam-tille.de/debian local InRelease' is not signed.
>   N: Updating from such a repository can't be done securely, and is therefore disabled by default.
>   N: See apt-secure(8) manpage for repository creation and user configuration details.
> 
> 
> I have some packages for my own use (I mean there is no reason to expect
> that someone wants to pull things from there) on my private web page
> which I signed with my Debian key.  This was working up to recently with
> apt-key.  Since this was not working any more I tried to follow the
> advise given in the error message and started reading apt-secure(8)
> where I just found a hint to apt-key which is deprecated.

There have been no changes on our side.

> 
> IMHO users who are using third party repositories will get a broken
> system after upgrading to Debian 11 and there is no helpful hint given
> how to fix it.
> 
> BTW, I did some
> 
>    apt-key del 578A0494D1C646D1

OK

> 
> added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg

So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?

Did you read the apt-key(8) manual page?

       apt-key supports only the binary OpenPGP format (also known as
       "GPG key public ring") in files with the "gpg" extension, not the
       keybox database format introduced in newer gpg(1) versions
       as default for keyring files. Binary keyring files
       intended to be used with any apt version should therefore
       always be created with gpg --export.

This problem happened to a lot of people, ever since gpg 2 became
the default which switched --keyring to generate not keyrings, but
keybox databases.

> and added an according
> 
>    [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]
> 
> option to the sources.list line ... and it does not yet work.  So I
> think it is critical to point to a solution that *really* works.

Well, it should if you have a proper GPG keyring file, and not a
keybox file.

> 
> Due to potential breaking user systems I wonder if someone agrees
> with bumping the severity of the bug to serious.

I disagree, and think this bug is a minor documentation issue,
your issue here is likely outside the computer.


-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
Reply to: