Bug#687611: debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade

Fri, 15 Feb 2013 11:39:12 -0800 

Followup-For: Bug #687611

Hi,

I finally traced the modification of debian-archive-removed-keys.gpg
during squeeze -> wheezy upgrades to 'apt-key update' calling 
'gpg --list-keys' which is not a read-only operation.

Quoting from GPG(1):

  --no-auto-check-trustdb
      If  GnuPG  feels  that  its  information  about the Web
      of Trust has to be updated, it automatically runs the
      --check-trustdb command internally.  This may be a time
      consuming process. --no-auto-check-trustdb disables
      this option.

So let's call gpg with --no-auto-check-trustdb always to get
deterministic behavior ... and explicitly run --check-trustdb during
apt-key update. Do this with a dummy --keyring otherwise all keyrings
could be rewritten.

We cannot use --check-trustdb --batch to skip the update if it is not
needed - gpg thinks it is not needed until we run --list-keys once ...

Maybe we can use --check-trustdb --quiet to suppress the "gpg: no
ultimately trusted keys found" message ...


Raising the severity to RC as having modified keyrings after system
upgrades might make many users suspicious.


Andreas

diffstat for apt-0.9.7.7 apt-0.9.7.7+nmu1

 cmdline/apt-key  |    6 +++++-
 debian/changelog |   12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff -Nru apt-0.9.7.7/cmdline/apt-key apt-0.9.7.7+nmu1/cmdline/apt-key
--- apt-0.9.7.7/cmdline/apt-key	2012-06-11 14:38:49.000000000 +0200
+++ apt-0.9.7.7+nmu1/cmdline/apt-key	2013-02-15 19:51:25.000000000 +0100
@@ -12,7 +12,7 @@
 if [ "$(id -u)" -eq 0 ]; then
 	# we could use a tmpfile here too, but creation of this tends to be time-consuming
 	eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
-	GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+	GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg --no-auto-check-trustdb"
 fi
 
 GPG="$GPG_CMD"
@@ -107,6 +107,10 @@
     fi
     requires_root
 
+    # perform trust database maintenance with a dummy keyring to avoid
+    # rewriting the regular keyrings
+    $GPG_CMD --check-trustdb --keyring $SECRETKEYRING
+
     # add new keys from the package;
 
     # we do not use add_keys_with_verify_against_master_keyring here,
diff -Nru apt-0.9.7.7/debian/changelog apt-0.9.7.7+nmu1/debian/changelog
--- apt-0.9.7.7/debian/changelog	2012-12-13 09:52:19.000000000 +0100
+++ apt-0.9.7.7+nmu1/debian/changelog	2013-02-15 20:07:39.000000000 +0100
@@ -1,3 +1,15 @@
+apt (0.9.7.7+nmu1) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * cmdline/apt-key:
+    - Run gpg with --no-auto-check-trustdb to avoid randomly rewriting
+      keyrings e.g. during --list-keys.  (Closes: #687611, #662948)
+    - Run gpg --check-trustdb during the 'update' action to allow updating the
+      trust database format. The format changes e.g. after upgrading gnupg
+      from squeeze to wheezy.
+
+ -- Andreas Beckmann <a...@debian.org>  Fri, 15 Feb 2013 19:52:29 +0100
+
 apt (0.9.7.7) unstable; urgency=low
 
   [ Program translation updates ]

Reply via email to