[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1104320: marked as done (apt fails to validate signature if the key file has an "@" symbol in it)



Your message dated Sun, 25 May 2025 09:19:13 +0000
with message-id <E1uJ7Vh-003VVE-3a@fasolo.debian.org>
and subject line Bug#1104320: fixed in apt 3.0.2
has caused the Debian Bug report #1104320,
regarding apt fails to validate signature if the key file has an "@" symbol in it
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1104320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104320
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 3.0.0
Severity: normal

Dear Maintainer,

It seems like the current version of apt (or maybe sqv which apt uses
now) fails to validate signatures if the key file has an "@" symbol in
it. In my current configuration I have the file 

/etc/apt/trusted.gpg.d/wmlive@rumbero.org.asc

containing the correct signature for one of the repositories I have
enabled. However, when I run apt update I get this:

    $ sudo apt update
    Hit:1 http://deb.debian.org/debian trixie InRelease
    Hit:2 http://deb.debian.org/debian stable InRelease
    Hit:3 http://wmlive.rumbero.org/repo bookworm InRelease
    Err:3 http://wmlive.rumbero.org/repo bookworm InRelease
      Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key C40423E642122B755120F8CC963E4C2E2B830BAD, which is needed to verify signature.
    All packages are up to date.    
    Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://wmlive.rumbero.org/repo bookworm InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key C40423E642122B755120F8CC963E4C2E2B830BAD, which is needed to verify signature.
    Warning: Failed to fetch http://wmlive.rumbero.org/repo/dists/bookworm/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key C40423E642122B755120F8CC963E4C2E2B830BAD, which is needed to verify signature.
    Warning: Some index files failed to download. They have been ignored, or old ones used instead.
    Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.

But when I rename said file to remove "@" from its name, it goes totally
fine.

As is, it doesn't present a grave problem, since it can be solved by a
simple rename, but it suggests the poor quality of sqv-apt combination
that is unfortunatly seems to be only one possible. Please correct me if
I'm wrong, but it seems that it is impossible to use gpgv, which had no
problems with this file, with apt now (it is dependent on sqv). Is there
any chance that we can get the gpgv to validate signatures back or get
apt-sqv combination fixed?

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "0";
APT::Install-Suggests "0";
APT::Key "";
APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1";
APT::Key::Assert-Pubkey-Algo::Next ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512";
APT::Key::Assert-Pubkey-Algo::Future ">=rsa3072,ed25519,ed448";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-.*";
APT::VersionedKernelPackages:: "kfreebsd-.*";
APT::VersionedKernelPackages:: "gnumach-.*";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "tasks";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Architectures "";
APT::Architectures:: "i386";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "false";
APT::Compressor::zstd::Cost "60";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "false";
APT::Compressor::lz4::Cost "50";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-6";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "";
Dir::Cache::pkgcache "";
Dir::Etc "etc/apt";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::netrcparts "auth.conf.d";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Boot "boot";
Dir::Usr "usr";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::planners "";
Dir::Bin::planners:: "/usr/lib/apt/planners";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::gzip "/bin/gzip";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lz4 "/usr/bin/lz4";
Dir::Bin::zstd "/usr/bin/zstd";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Log::Planner "eipp.log.xz";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::AllowInsecureRepositories "0";
Acquire::AllowWeakRepositories "0";
Acquire::AllowDowngradeToInsecureRepositories "0";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom/";
Acquire::IndexTargets "";
Acquire::IndexTargets::deb "";
Acquire::IndexTargets::deb::Packages "";
Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages";
Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages";
Acquire::IndexTargets::deb::Packages::ShortDescription "Packages";
Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages";
Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages";
Acquire::IndexTargets::deb::Packages::Optional "0";
Acquire::IndexTargets::deb::Translations "";
Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb-src "";
Acquire::IndexTargets::deb-src::Sources "";
Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources";
Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources";
Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources";
Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources";
Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources";
Acquire::IndexTargets::deb-src::Sources::Optional "0";
Acquire::Changelogs "";
Acquire::Changelogs::URI "";
Acquire::Changelogs::URI::Origin "";
Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";;
Acquire::Changelogs::AlwaysOnline "";
Acquire::Changelogs::AlwaysOnline::Origin "";
Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1";
Acquire::Snapshots "";
Acquire::Snapshots::URI "";
Acquire::Snapshots::URI::Origin "";
Acquire::Snapshots::URI::Origin::Debian "https://snapshot.debian.org/archive/debian/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Origin::Ubuntu "https://snapshot.ubuntu.com/ubuntu/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Override "";
Acquire::Snapshots::URI::Override::Label "";
Acquire::Snapshots::URI::Override::Label::Debian-Security "https://snapshot.debian.org/archive/debian-security/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host "";
Acquire::Snapshots::URI::Host::archive.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host::deb.debian.org "https://snapshot.debian.org/archive/@PATH@/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host::.archive.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host::security.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host::ppa.launchpadcontent.net "https://snapshot.ppa.launchpadcontent.net/@PATH@/@SNAPSHOTID@/";;
Acquire::Snapshots::URI::Host::ppa.launchpad.net "https://snapshot.ppa.launchpadcontent.net/@PATH@/@SNAPSHOTID@/";;
Acquire::Languages "";
Acquire::Languages:: "none";
Acquire::CompressionTypes "";
Acquire::CompressionTypes::xz "xz";
Acquire::CompressionTypes::bz2 "bzip2";
Acquire::CompressionTypes::lzma "lzma";
Acquire::CompressionTypes::gz "gzip";
Acquire::CompressionTypes::lz4 "lz4";
Acquire::CompressionTypes::zst "zstd";
DPkg "";
DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -f /usr/lib/palemoon/fonts/TwemojiMozilla.ttf ]; then rm /usr/lib/palemoon/fonts/TwemojiMozilla.ttf; else exit 0; fi";
DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -E -c '(remove|purge)') != 1 ]; then /usr/sbin/localepurge; else exit 0; fi";
Binary "apt-config";
Binary::apt-cdrom "";
Binary::apt-cdrom::APT "";
Binary::apt-cdrom::APT::Internal "";
Binary::apt-cdrom::APT::Internal::OpProgress "";
Binary::apt-cdrom::APT::Internal::OpProgress::EraseLines "0";
Binary::apt "";
Binary::apt::APT "";
Binary::apt::APT::Color "1";
Binary::apt::APT::Output-Version "30";
Binary::apt::APT::Cache "";
Binary::apt::APT::Cache::Show "";
Binary::apt::APT::Cache::Show::Version "2";
Binary::apt::APT::Cache::AllVersions "0";
Binary::apt::APT::Cache::ShowVirtuals "1";
Binary::apt::APT::Cache::Search "";
Binary::apt::APT::Cache::Search::Version "2";
Binary::apt::APT::Cache::ShowDependencyType "1";
Binary::apt::APT::Cache::ShowVersion "1";
Binary::apt::APT::Get "";
Binary::apt::APT::Get::Upgrade-Allow-New "1";
Binary::apt::APT::Get::Update "";
Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
Binary::apt::APT::Cmd "";
Binary::apt::APT::Cmd::Show-Update-Stats "1";
Binary::apt::APT::Cmd::Pattern-Only "1";
Binary::apt::APT::Keep-Downloaded-Packages "0";
Binary::apt::DPkg "";
Binary::apt::DPkg::Progress-Fancy "1";
Binary::apt::DPkg::Lock "";
Binary::apt::DPkg::Lock::Timeout "-1";
Binary::apt::Pager "1";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- /etc/apt/preferences.d/palemoon --

Package: *
Pin: origin "wmlive.rumbero.org"
Pin-Priority: 200


-- /etc/apt/preferences.d/systemd --

Package: systemd
Pin: origin  *
Pin-Priority: -1

-- /etc/apt/sources.list --

#Debian repository

deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware

-- /etc/apt/sources.list.d/palemoon.list --

deb http://wmlive.rumbero.org/repo bookworm main

-- /etc/apt/sources.list.d/src.list --

deb-src http://deb.debian.org/debian stable main contrib non-free non-free-firmware

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 6.1.0-32-686 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages apt depends on:
ii  adduser                 3.150
ii  base-passwd             3.6.7
ii  debian-archive-keyring  2025.1
ii  libapt-pkg7.0           3.0.0
ii  libc6                   2.41-7
ii  libgcc-s1               14.2.0-19
ii  libseccomp2             2.6.0-2
ii  libssl3t64              3.5.0-1
ii  libstdc++6              14.2.0-19
ii  libsystemd0             257.5-2
ii  sqv                     1.3.0-1

Versions of packages apt recommends:
ii  ca-certificates  20241223

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.22.18
ii  gnupg                        2.4.7-15
ii  powermgmt-base               1.38

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 3.0.2
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1104320@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 25 May 2025 10:39:53 +0200
Source: apt
Architecture: source
Version: 3.0.2
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 1104320
Changes:
 apt (3.0.2) unstable; urgency=medium
 .
   * debian/NEWS: Document new requirements on trusted.gpg.d (Closes: #1104320)
   * test: Fix test-skipped regression in 3.0.1
   * test: Do not use host's sequoia config
   * Pass --check to msgfmt and fix broken format strings
   * Downgrade "modernize-sources" notice to audit
Checksums-Sha1:
 08d5d83c5bbe5b455e98b7bf196fab436c2e55ca 3091 apt_3.0.2.dsc
 caf8a4b03450e508f9b8181c901d318f3846bc61 2421348 apt_3.0.2.tar.xz
 7ef24facd378a3845b49bd89bac3bf2274c2c280 7409 apt_3.0.2_source.buildinfo
Checksums-Sha256:
 40fb26d76b18188122fd9ed52108580c21bd472506fe4fe134b7c65e95f06f57 3091 apt_3.0.2.dsc
 9b79cba044a6429861e7b1e2cb856583ad032b69ff64d626a9b185c1d7c5c3da 2421348 apt_3.0.2.tar.xz
 9eab393110033c973cf042a024b77f3d40939f1225abd1ae835aaf5e6efbc3d7 7409 apt_3.0.2_source.buildinfo
Files:
 e5ac4698b25990896b816e20f852954c 3091 admin required apt_3.0.2.dsc
 22ea68de4f9c2b1692578e20e3c31326 2421348 admin required apt_3.0.2.tar.xz
 6d6d2600077a268a5427239212c3fcb5 7409 admin required apt_3.0.2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmgy2FwPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xTSIP/R8CW0VVv54Bdmq1hYJ5cVer2K61JQck73Ns
B6X6nX3GVaYY6yMp9lzxJvFjsRJyqSo6YgTpK/Yg3V7qgGgdyThfPSy1Olt4wRLB
axjpnUXKsl7jhV7JNmdkOvdTImyUIB6HRQmItpzJJIepiFBUw6Nc7KCgO4FnkvHl
SbSRIg4DFcLOC2vxv9BG3CxMC3iLSRWEjgoJCIJf1EmE0Ynl/hP42nX/L4G4xdf9
KsxPPP4zPjwtl4iUIvX22BhkeawSIlGnaek7niPW9vGAeM7mo5vdtsAAo2Fh1ftW
IuUV+LlIRcXEBDjYQ9OFzP3kqKfA8Ry32ZMWKZiDFZox2CxZn/d1UsvNPlDLN3gE
JO8k4+PqLB5lPkUsxYM12Zm3JDwZdKfBEQBkqW6xybWypkmokjo29iWOFZt6Vm3o
VUo2tums1AsDKHQn1HRGaS5u5V9Kf2urNfFsyuYJdHmYML1UkcGQcenwxp8wUGgV
fA7TabIoi9sY5v2nV8dzYjlVBBQOeOa1LapwG7BcvpnKMmm992GherqoRu5tzasb
RUqPxvJakiMh2avP2YRJ8Krr1pfoh56GWSWNYSwTNsL1IVfMhuiA/KGC6pqhU6+d
Xndh15TJ8u9nkA2eUVMMOYPFXo+DscBWT6Z9K3eY0kLPG4/plidQ8GfyLIOMMUpO
/ZNY6FAC
=SDia
-----END PGP SIGNATURE-----

Attachment: pgpSyfNsKiG5j.pgp
Description: PGP signature


--- End Message ---

Reply to: