On Fri, Nov 29, 2024 at 03:31:58AM +0100, Guillem Jover wrote: > Package: apt > Version: 2.9.15 > Severity: serious > Justification: I pondered initially on important, but given that this > is a regression that prevents repo usage, it seems worth serious to me. > > Hi! > > The latest release made some repos stop working as apt is now refusing > to use the specified keyring when it ends in «.pgp»
You essentially exploited a bug in apt-key where it was not correctly checking single signing keys and worked around the documented behavior. This poses a tricky question for us because it means there's not just .pgp possibly, maybe someone named their keys .banana. But I think we can fix this: We move the else if for .asc up, drop the extension check on the binary file verification and add a warning to use `.pgp` if you specify a weird one like `.banana` > > ,--- > … > Err:4 https://…/… … InRelease > The following signatures couldn't be verified because the public key is not > available: NO_PUBKEY … > … > Warning: https://…/…/InRelease: The key(s) in the keyring > /usr/share/keyrings/….pgp are ignored as the file has an unsupported filetype. > Warning: An error occurred during the signature verification. The repository > is not updated and the previous index files will be used. GPG error: > https://…/… … InRelease: The following signatures couldn't be verified > because the public key is not available: NO_PUBKEY … > Warning: Failed to fetch https://…/…/InRelease The following signatures > couldn't be verified because the public key is not available: NO_PUBKEY … > Warning: Some index files failed to download. They have been ignored, or old > ones used instead. > `--- > > Enforcing «.gpg» (and «.asc») as the only allowed extensions seems > wrong, because «.gpg» is an implementation specific name, which does > not match the standard (OpenPGP) this is based on, where the more > neutral name to use is «.pgp». So either «.pgp» should be explicitly > allowed or the extension and format checks should be removed, as the > OpenPGP implementation in use should be able to reject unknown > keyrings. Tell that to GnuPG :D $ gpgv --keyring $PWD/COPYING --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib//apt/lists/_etc_apt_mirrors.list_dists_plucky_InRelease gpgv: Signature made Fr 29 Nov 2024 08:41:32 CET gpgv: using RSA key F6ECB3762474EDA9D21B7022871920D1991BC93C gpgv: [don't know]: invalid packet (ctb=46) gpgv: keydb_search failed: Invalid packet gpgv: [don't know]: invalid packet (ctb=46) gpgv: keydb_search failed: Invalid packet gpgv: Can't check signature: No public key $ gpgv-sq --keyring $PWD/COPYING --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib//apt/lists/_etc_apt_mirrors.list_dists_plucky_InRelease gpgv: error: Loading keyring "/home/jak/Projects/Debian/apt/COPYING" gpgv: because: EOF gpgv: error: Reading the keyring "/home/jak/Projects/Debian/apt/COPYING" gpgv: because: Loading keyring "/home/jak/Projects/Debian/apt/COPYING" gpgv: because: EOF gpgv: Signature made Fri Nov 29 08:41:32 2024 +01:00 gpgv: using RSA key F6ECB3762474EDA9D21B7022871920D1991BC93C gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2018) <ftpmas...@ubuntu.com>" > > Ideally «.pgp» would be allowed everywhere currently expecting «.gpg», > including say «Release.gpg» (even if that's considered deprecated). > And apt would encourage to use the vendor-neutral extension. Release.pgp won't happen. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
