[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#896834: /usr/bin/apt-key: also unstable with gpgv 2.2.43-{6,7} ...

Control: reassign -1 gpgv-from-sq
Control: affects -1 apt
Control: severity -1 serious

On Wed, Jun 19, 2024 at 09:59:52AM GMT, Pti Zoom wrote:
> Package: apt
> Version: 2.9.5
> Followup-For: Bug #896834
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where appropriate ***
> 
> *_InRelease files fails signing,
> 
> since 17/06/2024,
> 
> when upgraded unstable gpgv to  2.2.43-{6,7} !
> 
> then the package updates are quite stalled.
> 
> oh dear...should have listened to gpgv package maintainer instead of madly upgrading....
> 
> symptoms are also similare to bug...
> 
>  #896834  /usr/bin/apt-key: apt-key fails in an lxc environment after upgrade to stretch
> 
> which from ...
> 
>  apt -o Debug::Acquire::gpgv=1 update
> 
> gives...
> 
> "...
> inside VerifyGetSigners
> ...
> Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.dQFfP7 /tmp/apt.data.mOm9vr
> ...
> 0% [Working]gpgv exited with status 1                                                                                                                                                                                                                                                   
> Summary:
>   Good: 
>   Valid: 
>   Bad: 
>   Worthless: 
>   SoonWorthless: 
>   NoPubKey: 
>   Signed-By: 
>   NODATA: no
> Err:3 http://deb.debian.org/debian stable InRelease
>   At least one invalid signature was encountered.
> ...
> Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stable InRelease: At least one invalid signature was encountered.
> ..."
> 
> etc...
> 
> maybe I shall downgrade to gpgv 2.2.40-1.1+b3 or is there a better setting for gpgv ?

The culprit is gpgv-from-sq as DonKult said, and it is:

jak@jak-t14-g3:~:master$ apt-key verify --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease 
gpgv:   error: While parsing rule "ed448"
gpgv: because: Invalid argument: Unknown public key algorithm: ed

So now it claims it accepts the argument but then it complains about
unknown public key algorithms. You can verify manually with something
like:

jak@jak-t14-g3:~:master$ gpgv --assert-pubkey-algo ">=rsa2048,ed25519,ed448" --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease  
gpgv:   error: While parsing rule "ed448"
gpgv: because: Invalid argument: Unknown public key algorithm: ed

(Adjusted for your sources, I'm testing Ubuntu :D)

There are two bugs here:

1. sq strips the numerical bit from ed448, pretending it is a size. Maybe it
   doesn't support ed448?
2. sq fails on unknown algorithms, when it should silently ignore them. These
   are not safety critical, it is an allow list after all. If it doesn't support
   ed448 the right place to fail is when it actually encounters an ed448 signature.


-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
Reply to: