Bug#1110845: marked as done (apt: Regression in Signed-By handling)
Your message dated Mon, 11 Aug 2025 14:58:11 +0200
with message-id <20250811145430.GA29892@debian.org>
and subject line Re: Bug#1110845: apt: Regression in Signed-By handling
has caused the Debian Bug report #1110845,
regarding apt: Regression in Signed-By handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1110845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110845
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 3.0.3
Severity: serious
When a repository is configured in
/etc/apt/sources.list.d/repo.sources with "Signed-By:" listing
multiple keyrings, apt 2.9.16 was comfortable with one of the keyrings
not existing. In apt 3.0.3, the same configuration leads to a failure
to update the Release/Packages/Sources for that repository.
Since this is a regression, I marked this as serious. But feel free to
downgrade it, based on the documentation saying that the keyring files
have to be accessible (which implies they must exist).
Side note: It would be nice if the sources.list.5 manpage would
include an example of Signed-By with a fingerprint specified. The
syntax of doing so is currently unclear to me.
Relevant file looks like this (URI and actual filenames stripped):
Types: deb
URIs: https://<internal_mirror>
Suites: trixie
Components: main
Signed-by: /usr/share/keyrings/existing-keyring.gpg
/usr/share/keyrings/missing-keyring.gpg
As said above: That worked with apt 2.9.16, it fails in 3.0.3 (not
sure about intermediate versions, but I assume this was introduced
with 2.9.19 (switch to sequoia on supported platforms).
Kind regards,
Sven
--- End Message ---
--- Begin Message ---
On Mon, Aug 11, 2025 at 02:00:17PM +0200, Sven Mueller wrote:
> Package: apt
> Version: 3.0.3
> Severity: serious
>
> When a repository is configured in
> /etc/apt/sources.list.d/repo.sources with "Signed-By:" listing
> multiple keyrings, apt 2.9.16 was comfortable with one of the keyrings
> not existing. In apt 3.0.3, the same configuration leads to a failure
> to update the Release/Packages/Sources for that repository.
>
> Since this is a regression, I marked this as serious. But feel free to
> downgrade it, based on the documentation saying that the keyring files
> have to be accessible (which implies they must exist).
>
> Side note: It would be nice if the sources.list.5 manpage would
> include an example of Signed-By with a fingerprint specified. The
> syntax of doing so is currently unclear to me.
You add the fingerprint to it instead of the filename, fingerprints
are validated at the end of the verification by comparing the
signers with any fingerprints listed (if any).
>
> Relevant file looks like this (URI and actual filenames stripped):
>
> Types: deb
> URIs: https://<internal_mirror>
> Suites: trixie
> Components: main
> Signed-by: /usr/share/keyrings/existing-keyring.gpg
> /usr/share/keyrings/missing-keyring.gpg
>
> As said above: That worked with apt 2.9.16, it fails in 3.0.3 (not
> sure about intermediate versions, but I assume this was introduced
> with 2.9.19 (switch to sequoia on supported platforms).
Since this is in stable now, there is little point in adding
it back. Please ensure your configuration files are correct.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---
Reply to: