package: src:apt severity: important version: 1.0.6 tags: security "apt-get source" currently shows messages about invalid signatures, but goes on to extract the source anyway, and the error text is kind of easy to miss as well.
A more secure default would be to use the --require-valid-signature option to dpkg-source. Note that changes here may lead to a lot of ftbfs bugs for packages with bad sigs, but that's a good thing. Those need a new sig anyway. Example output for a package with an invalid signature (note easy to miss gpgv messages): $ apt-get source debian-archive-keyring Reading package lists... Done Building dependency tree Reading state information... Done Skipping already downloaded file 'debian-archive-keyring_2012.4.dsc' Skipping already downloaded file 'debian-archive-keyring_2012.4.tar.gz' Need to get 0 B of source archives. gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./debian-archive-keyring_2012.4.dsc dpkg-source: info: extracting debian-archive-keyring in debian-archive-keyring-2012.4 dpkg-source: info: unpacking debian-archive-keyring_2012.4.tar.gz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
