Hi David, Thanks for your elaborate and helpful comments. You've nailed it. See below.
On Thu, Aug 25, 2016 at 10:27:47AM +0200, David Kalnischkies wrote: > On Sun, Aug 21, 2016 at 10:07:47AM +0200, Joost van Baal-Ilić wrote: > > Get:1 http://ftp.nl.debian.org/debian sid InRelease [209 kB] > > 0% [Working]inside VerifyGetSigners > > 0% [1 InRelease gpgv 209 kB]Preparing to exec: /usr/bin/apt-key --quiet > > --readonly verify --status-fd 3 /tmp/apt.sig.7pzp9M > > /tmp/apt.data.WiZ9eV > > gpgv exited with status 1 > > Summary: > > Good: > > Bad: > > Worthless: > > SoonWorthless: > > NoPubKey: > > NODATA: no > > Err:1 http://ftp.nl.debian.org/debian sid InRelease > > At least one invalid signature was encountered. > > The error message is a reaction to the debug message "gpgv exited with > status 1" as it is supposed to do that only if it encounters a bad sig. > > Now, that debug message is kind of a lie as it isn't gpgv which exits > 1 here, but the wrapping construct apt-key. That can be deducted from > the summary being empty, so we fail before even calling apt-key. > > A common reason for this in recent times is actually a strange /tmp > directory with misconfigured owner/permissions setup. The reason is > that apt-key isn't executed with root permissions (and hence allowed to > do basically everything), but as _apt which isn't privileged and > therefore effected by owner/permission. > > I just experimented a bit and while 'apt-key list' just ignores > unreadable files, other apt-key operations including verify fail if > a file in /etc/apt/trusted.gpg.d/ is unreadable for the _apt user, so > that could it be, too (and would explain Timos "fix"). > > > So, perhaps you can redo your tests, but as _apt e.g. with: > su _apt -s /bin/sh -c 'apt-key list' This system has: /etc/passwd: _apt:x:102:65534::/nonexistent:/bin/false /etc/group: nogroup:x:65534: and, as it's supposed to be: drwxrwxrwt 4 root root 4096 авг 21 08:44 /tmp/ but also: (sid)root@janacopoulos:~# find /etc/apt/trusted.gpg.d -ls 4718724 4 drwxr-xr-x 2 root root 4096 авг 21 07:20 /etc/apt/trusted.gpg.d 4718743 16 -rw------- 1 root root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/trustdb.gpg 4718745 16 -rw------- 1 root root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/multistrap.gpg 4938951 4 -rw-r--r-- 1 root root 4084 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg 4939151 4 -rw-r--r-- 1 root root 2853 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg 4939152 4 -rw-r--r-- 1 root root 3780 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg 4939153 4 -rw-r--r-- 1 root root 2851 јун 2 2012 /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg 4720919 8 -rw-r--r-- 1 root root 5138 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg 4720928 8 -rw-r--r-- 1 root root 5147 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg 4720924 4 -rw-r--r-- 1 root root 2775 нов 30 2014 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg . It still gives (sid)root@janacopoulos:~# apt update Hit:1 http://ftp.nl.debian.org/debian sid InRelease Err:1 http://ftp.nl.debian.org/debian sid InRelease At least one invalid signature was encountered. Reading package lists... Done Building dependency tree Reading state information... Done 104 packages can be upgraded. Run 'apt list --upgradable' to see them. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.nl.debian.org/debian sid InRelease: At least one invalid signature was encountered. W: Failed to fetch http://httpredir.debian.org/debian/dists/sid/InRelease At least one invalid signature was encountered. W: Some index files failed to download. They have been ignored, or old ones used instead. And running su _apt -s /bin/sh -c 'apt-key list' gives /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ---------------------------------------------------------- pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19] Key fingerprint = 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010 uid Debian Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ------------------------------------------------------------------- pub 4096R/C857C906 2014-11-21 [expires: 2022-11-19] Key fingerprint = D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906 uid Debian Security Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ------------------------------------------------------- pub 4096R/518E17E1 2013-08-17 [expires: 2021-08-15] Key fingerprint = 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1 uid Jessie Stable Release Key <debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ----------------------------------------------------------- pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05] Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg -------------------------------------------------------- pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05] Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9 uid Squeeze Stable Release Key <debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg ---------------------------------------------------------- pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553 uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ------------------------------------------------------- pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07] Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764 uid Wheezy Stable Release Key <debian-rele...@lists.debian.org> NB: this does not give any error or warning message. Now, running (sid)root@janacopoulos:~# chown _apt /etc/apt/trusted.gpg.d/trustdb.gpg /etc/apt/trusted.gpg.d/multistrap.gpg (sid)root@janacopoulos:~# chmod g+r /etc/apt/trusted.gpg.d/trustdb.gpg /etc/apt/trusted.gpg.d/multistrap.gpg gives 4718743 16 -rw-r----- 1 _apt root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/trustdb.gpg 4718745 16 -rw-r----- 1 _apt root 13568 авг 26 2013 /etc/apt/trusted.gpg.d/multistrap.gpg and a fixed: (sid)root@janacopoulos:~# apt update Get:1 http://ftp.nl.debian.org/debian sid InRelease [209 kB] Get:2 http://ftp.nl.debian.org/debian sid/main amd64 Packages.diff/Index [27,9 kB] Get:3 http://ftp.nl.debian.org/debian sid/main Translation-en.diff/Index [27,9 kB] Get:4 http://ftp.nl.debian.org/debian sid/main amd64 Packages 2016-08-21-0903.33.pdiff [4157 B] Get:5 http://ftp.nl.debian.org/debian sid/main amd64 Packages 2016-08-21-1517.48.pdiff [8986 B] [...] Get:34 http://ftp.nl.debian.org/debian sid/main Translation-en 2016-08-25-0317.44.pdiff [288 B] Get:34 http://ftp.nl.debian.org/debian sid/main Translation-en 2016-08-25-0317.44.pdiff [288 B] Fetched 522 kB in 2s (174 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 104 packages can be upgraded. Run 'apt list --upgradable' to see them. (And running (sid)root@janacopoulos:~# su _apt -s /bin/sh -c 'apt-key list' gives /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ---------------------------------------------------------- pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19] Key fingerprint = 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010 uid Debian Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ------------------------------------------------------------------- pub 4096R/C857C906 2014-11-21 [expires: 2022-11-19] Key fingerprint = D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906 uid Debian Security Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ------------------------------------------------------- pub 4096R/518E17E1 2013-08-17 [expires: 2021-08-15] Key fingerprint = 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1 uid Jessie Stable Release Key <debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ----------------------------------------------------------- pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05] Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg -------------------------------------------------------- pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05] Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9 uid Squeeze Stable Release Key <debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg ---------------------------------------------------------- pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553 uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ------------------------------------------------------- pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07] Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764 uid Wheezy Stable Release Key <debian-rele...@lists.debian.org> /etc/apt/trusted.gpg.d/multistrap.gpg ------------------------------------- pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05] Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9 uid Squeeze Stable Release Key <debian-rele...@lists.debian.org> pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05] Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org> pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07] Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764 uid Wheezy Stable Release Key <debian-rele...@lists.debian.org> pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553 uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org> /etc/apt/trusted.gpg.d/trustdb.gpg ---------------------------------- pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05] Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9 uid Squeeze Stable Release Key <debian-rele...@lists.debian.org> pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05] Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org> pub 4096R/65FFB764 2012-05-08 [expires: 2019-05-07] Key fingerprint = ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764 uid Wheezy Stable Release Key <debian-rele...@lists.debian.org> pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] Key fingerprint = A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553 uid Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org> (The previously silently ignored multistrap keys are now shown too.) ) Perhaps a note on these more strict requirements on ownership/permissions of keys in /etc/apt/trusted.gpg.d/ could be added to apt's NEWS.Debian? Thanks a lot again, Bye, Joost
signature.asc
Description: Digital signature
