I just ran into the same issue. What's not obvious from the original post, though, is that apt-key reports back that it deleted the key "OK" - but actually did not:
root@mybox:~# apt-key list | grep 79EAFD54 pub 1024D/79EAFD54 2009-01-22 [expired: 2013-06-28] root@mybox:~# apt-key adv --keyid-format long --list-key 79EAFD54 Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.0hGkImk1B8 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/xorg-edgers-ppa.gpg --keyid-format long --list-key 79EAFD54 pub 1024D/BED1E87979EAFD54 2009-01-22 [expired: 2013-06-28] uid security OBS Project <secur...@build.opensuse.org> root@mybox:~# apt-key del BED1E87979EAFD54 OK root@mybox:~# apt-key list | grep 79EAFD54 pub 1024D/79EAFD54 2009-01-22 [expired: 2013-06-28] As such, if you supply a key ID as an argument to "apt-key del" in any GnuPG supported format other than the 'old' short key ID format without leading "0x" (so just the last 8 bytes of the key's fingerprint, ") the result is that your command is *silently ignored*. (There seem to be some non-defined GPG formnats which will return an error message, such as when using the last 6 or 10 (but not 12) bytes of the fingerprint). This can result in users and applications alike meaning to revoke trust on an APT archive keyring, being told they succeeded in doing so, but actually failing. As such, from my perspective, this is a security bug. This was Ubuntu 14.04.3 LTS x86_64 with the latest updates installed and no held packages (but some third party PPAs). I have not tried to reproduce this issue on any other Ubuntu releases. I tried to reproduce this behaviour on Debian GNU/Linux 8.2 "Jessie" but was unable to. ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del doesn't understand fingerprint Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
