Package: apt Version: 0.6.46.4 Severity: grave Tags: d-i All d-i installs are broken today, because a new version of debian-archive-keyring exposed a bug in apt-key, causing it to remove the wrong key during a debootstrap, leaving the system without the current etch automatic signing key.
This illistrates the bug:
$ gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys |
grep ^pub
pub:e:1024:1:6FFA8EF91DB114E0:2004-01-15:2005-01-27::-:Debian Archive Automatic
Signing Key (2004) <[EMAIL PROTECTED]>::sc:
pub:e:1024:17:F1D53D8C4F368D5D:2005-01-31:2006-01-31::-:Debian Archive
Automatic Signing Key (2005) <[EMAIL PROTECTED]>::sca:
pub:-:1024:17:E415B2B4B5F5BBED:2005-04-24:::-:Debian AMD64 Archive Key
<debian-amd64@lists.debian.org>::scESC:
[EMAIL PROTECTED]:~$ gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys |
grep ^pub | cut -d: -f5
6FFA8EF91DB114E0
F1D53D8C4F368D5D
E415B2B4B5F5BBED
[EMAIL PROTECTED]:~$ gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-removed-keys.gpg --with-colons --list-keys|
awk '/^pub/{FS=":";print $5}'
Key
F1D53D8C4F368D5D
E415B2B4B5F5BBED
The last command, with awk, is what apt-key does, and note that it does
not output the right thing. Apparently the FS setting only takes effect after
the first match, so awk outputs the 5th _word_ the first time, which happens
to be "key".
I haven't fully analised how this causes apt-key to remove the wrong thing
from the keyring, but it apparently does.
--
see shy jo
signature.asc
Description: Digital signature
