[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1088656: marked as done (apt: Regression with keyrings not ending in .gpg/.asc)

Your message dated Fri, 29 Nov 2024 09:19:03 +0000
with message-id <E1tGx9T-002zni-IA@fasolo.debian.org>
and subject line Bug#1088656: fixed in apt 2.9.16
has caused the Debian Bug report #1088656,
regarding apt: Regression with keyrings not ending in .gpg/.asc
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1088656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088656
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 2.9.15
Severity: serious
Justification: I pondered initially on important, but given that this
 is a regression that prevents repo usage, it seems worth serious to me.

Hi!

The latest release made some repos stop working as apt is now refusing
to use the specified keyring when it ends in «.pgp».

,---
…
Err:4 https://…/…; … InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
…
Warning: https://…/…/InRelease: The key(s) in the keyring /usr/share/keyrings/….pgp are ignored as the file has an unsupported filetype.
Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://…/…; … InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
Warning: Failed to fetch https://…/…/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
Warning: Some index files failed to download. They have been ignored, or old ones used instead.
`---

Enforcing «.gpg» (and «.asc») as the only allowed extensions seems
wrong, because «.gpg» is an implementation specific name, which does
not match the standard (OpenPGP) this is based on, where the more
neutral name to use is «.pgp». So either «.pgp» should be explicitly
allowed or the extension and format checks should be removed, as the
OpenPGP implementation in use should be able to reject unknown
keyrings.

Ideally «.pgp» would be allowed everywhere currently expecting «.gpg»,
including say «Release.gpg» (even if that's considered deprecated).
And apt would encourage to use the vendor-neutral extension.

There's also a lintian tag prodding keyring providers to use the
neutral extension:

  https://udd.debian.org/lintian-tag/openpgp-file-has-implementation-specific-extension

Thanks,
Guillem

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 2.9.16
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1088656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 29 Nov 2024 09:45:11 +0100
Source: apt
Architecture: source
Version: 2.9.16
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 1088656
Changes:
 apt (2.9.16) unstable; urgency=medium
 .
   * Avoid extension check for .gpg in Signed-By keyrings (Closes: #1088656)
     A warning for extensions other than .pgp and .gpg will be introduced at
     a later point, but not now as we try to be bug compatible.
Checksums-Sha1:
 d49dad6c9fa5b255d31c2c1433452278b9911fb3 3003 apt_2.9.16.dsc
 54fbc4c22c755b40b05eee939878448a473d40ae 2391724 apt_2.9.16.tar.xz
 7ae46fd18509a268d55604f8c4cd387c50cd842b 7721 apt_2.9.16_source.buildinfo
Checksums-Sha256:
 6cfa852e6da6963efd6cba0a257764df5f15375970090475b26eeb47e2607199 3003 apt_2.9.16.dsc
 f67731d7ad899b859905814fbed3b4de273cfeb85c1845043f1478c752ec9ef4 2391724 apt_2.9.16.tar.xz
 c2265a5778454d634c0b1adcb3a4de080666ba7699c0628707eeb70fa337dc26 7721 apt_2.9.16_source.buildinfo
Files:
 c300de9c45cfc08267793b010450afc2 3003 admin required apt_2.9.16.dsc
 bc505c8ca77e0607b10313f141cce21c 2391724 admin required apt_2.9.16.tar.xz
 5083cfacb12e54a18d8fb43b13e2b8a8 7721 admin required apt_2.9.16_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmdJgSAPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xOVgP+gPdWb/oUKePRTlV5cn+Vcq0AqIPZhA39ScC
EHIfKULqqvCVe/gixzHQi9QcGNePN5f6VAEZeDxkhuEy7fnrsrj0SdRIvH8E/Y22
0q9s8oAuMn1gfnJMhREZRE1aoHFwpOrTmo4SeCXALlJzywjL6yXq0rWCp9znlNNS
HKmqsFTDS82iwc1Ek8vdr3HlqUVcMsdhJcsto+CDelhD/zxXKHCwnPoJBeVv740c
f9ZbWsButybN+raZwtr/5Zor313WJI4GnP/Tfi7jpvukfHiRRbDkyx/Rb726HY35
O8tkDywCULQQ6IKVO2mBfeAYS+qDN2K1Oq8hT3z4YpmnfIdIStF+4qNCOprLfQ3L
sNn6p191Nx3Lqj0dflEgosPEbagSZTvmwVtl4HtRFxi9aliG7uV2uX5x1+u/lbb/
8BXkDaJtcXKLsgY6U4V4PVla+Y76wA02T/6+QAO7aArt2nRGDyV9KbB5dV/gqR5Q
yOM6rznT2jeEZIt/J3JGfpwvEQ0VVkzpncIwTUK3XOGisGFbFlIqFRNtxnKEfSA9
WcD6OhwzZ5B/phEGnUJRZ5rkLV4JAa/FRHsHPz9adwu+bP/S5NTXt7mzzp7oh23c
0ZWyTxsmQ2nOtBOMBAsxRHtoC6Y3d7W0k92gnokA5jMuvejUZhlkLJOCvIehDwb4
ylRl0N/m
=42TN
-----END PGP SIGNATURE-----

Attachment: pgpbeBhY2iI_L.pgp
Description: PGP signature


--- End Message ---
Reply to: