Bug#400526: marked as done (gpg signature validation should not die on unknown keys)

[Debian Bug Tracking System]

Your message dated Sun, 28 Jan 2007 17:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#400526: fixed in debmirror 20070123
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: debmirror
Version: 20060907.1
Severity: normal

debmirror uses a different method to validate the signatures on Release
files than do apt, network-retreiver, etc. debmirror's method fails if
the Release file is signed by any one unknown key, even if it has other
valid sigs from known keys, as happened recently. The correct method
does not have this problem, and works as follows:

gpgv --no-tty --status-fd 1 Release.gpg Release | read_gpg_status

Where a shell version of read_gpg_status is this:

read_gpg_status() {
        while read prefix keyword rest; do
                [ "$prefix" = '[GNUPG:]' ] || continue
                if [ "$keyword" = VALIDSIG ]; then
                        exit 0
                fi
        done
        exit 1
}

Any single valid signature is enough.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages debmirror depends on:
ii  bzip2                         1.0.3-6    high-quality block-sorting file co
ii  libcompress-zlib-perl         1.42-1     Perl module for creation and manip
ii  libdigest-sha1-perl           2.11-1     NIST SHA-1 message digest algorith
ii  liblockfile-simple-perl       0.2.5-7    Simple advisory file locking
ii  libwww-perl                   5.805-1    WWW client/server library for Perl
ii  perl [libdigest-md5-perl]     5.8.8-6.1  Larry Wall's Practical Extraction 
ii  perl-modules [libnet-perl]    5.8.8-6.1  Core Perl modules
ii  rsync                         2.6.9-2    fast remote file copy program (lik

Versions of packages debmirror recommends:
ii  gnupg                         1.4.5-2    GNU privacy guard - a free PGP rep
ii  patch                         2.5.9-4    Apply a diff file to an original

-- no debconf information

-- 
see shy jo

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: debmirror
Source-Version: 20070123

We believe that the bug you reported is fixed in the latest version of
debmirror, which is due to be installed in the Debian FTP archive:

debmirror_20070123.dsc
  to pool/main/d/debmirror/debmirror_20070123.dsc
debmirror_20070123.tar.gz
  to pool/main/d/debmirror/debmirror_20070123.tar.gz
debmirror_20070123_all.deb
  to pool/main/d/debmirror/debmirror_20070123_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Goswin von Brederlow <[EMAIL PROTECTED]> (supplier of updated debmirror package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Jan 2007 14:53:14 +0100
Source: debmirror
Binary: debmirror
Architecture: source all
Version: 20070123
Distribution: unstable
Urgency: low
Maintainer: Goswin von Brederlow <[EMAIL PROTECTED]>
Changed-By: Goswin von Brederlow <[EMAIL PROTECTED]>
Description: 
 debmirror  - Debian partial mirror script, with ftp and package pool support
Closes: 386697 386707 397936 399058 399834 400054 400526 401245
Changes: 
 debmirror (20070123) unstable; urgency=low
 .
   * Add dependency for libdigest-sha1-perl (ACK NMU) (Closes: #386707)
   * Change manpage entry for --pdiff (Closes: #386697)
   * Fix Release.gpg check to use gpgv (Closes: #400526)
   * Fix use of uninitialized value in addition
   * Count errors in pdiff files as small errors (Closes: #400054)
   * Cleanup tempfiles (Closes: 399834)
   * Fix manpage permissions with patch by (Closes: #399058)
     "Dmitry E. Oboukhov" <[EMAIL PROTECTED]>
   * Skip pdiff files if patch binary is missing (Closes: #401245)
   * Skip pdiff files if ed binary is missing and recommend it (Closes: #397936)
Files: 
 3072f05ba56be15afe302a76e31bb5f5 494 net extra debmirror_20070123.dsc
 e89d7b8aae00fbf0743b2cd6bc99d746 22875 net extra debmirror_20070123.tar.gz
 c93c6d9d26a9f643544cfc7f9e13ee7c 30276 net extra debmirror_20070123_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFvN6HlAuUx1tI/64RAhDYAKCjS8Ulo6nhFHecMile14IfqL15wQCdH+oz
bf9SGpAIq505joOkplOggMc=
=B857
-----END PGP SIGNATURE-----

--- End Message ---