Bug#1091896: marked as done (misleading error message about signature packet)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#1091896: marked as done (misleading error message about signature packet)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 02 Jan 2025 08:30:02 +0000
Message-id: <[🔎] handler.1091896.D1091896.17358064103007466.ackdone@bugs.debian.org>
Reply-to: 1091896@bugs.debian.org
References: <20250102092342.GA1606419@debian.org> <[🔎] uzdpll5vds9.fsf@dpcl082.ac.aixigo.de>

Your message dated Thu, 2 Jan 2025 09:26:39 +0100
with message-id <20250102092342.GA1606419@debian.org>
and subject line Re: Bug#1091896: misleading error message about signature packet
has caused the Debian Bug report #1091896,
regarding misleading error message about signature packet
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091896
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Cc:
Subject: misleading error message about signature packet
From: Harald Dunkel <harald.dunkel@aixigo.com>
Date: Thu, 02 Jan 2025 09:08:22 +0100
Message-id: <[🔎] uzdpll5vds9.fsf@dpcl082.ac.aixigo.de>

Package: apt
Version: 2.9.20

I am using Kubernetes' package repository to install kubeadm, kubectl
and others, see https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/.
For Bookworm this works very well, but for Sid apt update complains about
the remote repository

# apt update
:
Warning: GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Error: The repository 'https://pkgs.k8s.io/core:/stable:/v1.32/deb  InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
# echo $?
100

file tells me the public key is version 4:

# file /etc/apt/keyrings/kubernetes-apt-keyring.gpg
/etc/apt/keyrings/kubernetes-apt-keyring.gpg: OpenPGP Public Key Version 4, Created Thu Aug 25 16:21:11 2022, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate

so apt should not complain about a version 3 signature without providing
more details.

I understand that this problem was mitigated in version 2.9.21, but this
seems to be some bad code that might pop up in 2026 when v3 signatures are
disabled again.


Anyway, best season greetings

Harri

--- End Message ---

--- Begin Message ---

To: 1091896-close@bugs.debian.org
Subject: Re: Bug#1091896: misleading error message about signature packet
From: Julian Andres Klode <jak@debian.org>
Date: Thu, 2 Jan 2025 09:26:39 +0100
Message-id: <20250102092342.GA1606419@debian.org>
In-reply-to: <[🔎] uzdpll5vds9.fsf@dpcl082.ac.aixigo.de>
References: <[🔎] uzdpll5vds9.fsf@dpcl082.ac.aixigo.de>

On Thu, Jan 02, 2025 at 09:08:22AM +0100, Harald Dunkel wrote:
> Package: apt
> Version: 2.9.20
> 
> I am using Kubernetes' package repository to install kubeadm, kubectl
> and others, see https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/.
> For Bookworm this works very well, but for Sid apt update complains about
> the remote repository
> 
> # apt update
> :
> Warning: GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
> Error: The repository 'https://pkgs.k8s.io/core:/stable:/v1.32/deb  InRelease' is not signed.
> Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
> Notice: See apt-secure(8) manpage for repository creation and user configuration details.
> # echo $?
> 100
> 
> file tells me the public key is version 4:
> 
> # file /etc/apt/keyrings/kubernetes-apt-keyring.gpg
> /etc/apt/keyrings/kubernetes-apt-keyring.gpg: OpenPGP Public Key Version 4, Created Thu Aug 25 16:21:11 2022, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate
> 
> so apt should not complain about a version 3 signature without providing
> more details.

Sequoia is complaining about a v3 *signature packet*, not a v3
*public key packet*. And that v4 key generated a v3 signature:

$ env curl -s https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb/InRelease | sq packet dump
Signature Packet, old CTB, 277 bytes
    Version: 3

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---

Reply to:

References:
- Bug#1091896: misleading error message about signature packet
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: Bug#1091896: misleading error message about signature packet
Next by Date: apt can't install sane-utils on foreign architecture
Previous by thread: Bug#1091896: misleading error message about signature packet
Next by thread: apt can't install sane-utils on foreign architecture
Index(es):
- Date
- Thread