Bug#1110845: apt: Regression in Signed-By handling
Package: apt
Version: 3.0.3
Severity: serious
When a repository is configured in
/etc/apt/sources.list.d/repo.sources with "Signed-By:" listing
multiple keyrings, apt 2.9.16 was comfortable with one of the keyrings
not existing. In apt 3.0.3, the same configuration leads to a failure
to update the Release/Packages/Sources for that repository.
Since this is a regression, I marked this as serious. But feel free to
downgrade it, based on the documentation saying that the keyring files
have to be accessible (which implies they must exist).
Side note: It would be nice if the sources.list.5 manpage would
include an example of Signed-By with a fingerprint specified. The
syntax of doing so is currently unclear to me.
Relevant file looks like this (URI and actual filenames stripped):
Types: deb
URIs: https://<internal_mirror>
Suites: trixie
Components: main
Signed-by: /usr/share/keyrings/existing-keyring.gpg
/usr/share/keyrings/missing-keyring.gpg
As said above: That worked with apt 2.9.16, it fails in 3.0.3 (not
sure about intermediate versions, but I assume this was introduced
with 2.9.19 (switch to sequoia on supported platforms).
Kind regards,
Sven
Reply to: