Your message dated Mon, 28 Jan 2019 12:04:33 +0000 with message-id <[email protected]> and subject line Bug#918304: fixed in debmirror 1:2.31 has caused the Debian Bug report #918304, regarding debmirror wants non-zero gpgv return code, instead of a GOODSIG on --status-fd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 918304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918304 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: debmirror Version: 1:2.30 Severity: normal sid is apparently currently signed by three keys -- automatic signing keys for wheezy, jessie, and stretch. I can't justify this (i have no idea why it should be signed by the wheezy signing key, for example), but that shouldn't matter for debmirror's purpose. In practice, debmirror should accept any one good signature from any of its trusted keys. However, gpgv returns a non-zero error code if it notices anything fishy, like a signature that it can't validate, and debmirror uses that as a chance to bail out. Here's an example: 2 debmirror@testhost:~$ debmirror --keyring /usr/share/keyrings/debian-archive-stretch-automatic.gpg /srv/debmirror/archive [GNUPG:] NEWSIG [GNUPG:] ERRSIG 8B48AD6246925553 1 8 00 1546612061 9 A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 [GNUPG:] NO_PUBKEY 8B48AD6246925553 [GNUPG:] NEWSIG [GNUPG:] ERRSIG 7638D0442B90D010 1 8 00 1546612061 9 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 [GNUPG:] NO_PUBKEY 7638D0442B90D010 [GNUPG:] NEWSIG [GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0 [GNUPG:] SIG_ID xEVWVyjJFLGtpwkNoXTkQjo22Ws 2019-01-04 1546612061 [GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0 [GNUPG:] GOODSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <[email protected]> [GNUPG:] VALIDSIG 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC 2019-01-04 1546612061 0 4 0 1 8 00 E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23 gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 gpgv: Can't check signature: No public key gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 gpgv: Can't check signature: No public key gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) <[email protected]>" [GNUPG:] NEWSIG [GNUPG:] ERRSIG 8B48AD6246925553 1 8 01 1546612062 9 A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 [GNUPG:] NO_PUBKEY 8B48AD6246925553 [GNUPG:] NEWSIG [GNUPG:] ERRSIG 7638D0442B90D010 1 8 01 1546612062 9 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 [GNUPG:] NO_PUBKEY 7638D0442B90D010 [GNUPG:] NEWSIG [GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0 [GNUPG:] SIG_ID jhlMnCWh9GquPf8AQBwAiGQAPYU 2019-01-04 1546612062 [GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0 [GNUPG:] GOODSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <[email protected]> [GNUPG:] VALIDSIG 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC 2019-01-04 1546612062 0 4 0 1 8 01 E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23 gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 gpgv: Can't check signature: No public key gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 gpgv: Can't check signature: No public key gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) <[email protected]>" Errors: .temp/.tmp/dists/sid/Release.gpg signature does not verify .temp/.tmp/dists/sid/InRelease signature does not verify Failed to download some Release, Release.gpg or InRelease files! WARNING: releasing 1 pending lock... 2 debmirror@testhost:~$ debmirror's gpg_verify() function should be re-written to account for this, probably by verifying that *at least one* signature is valid. While fixing this signature verification, it might also want to ensure that it's verifying the status-fd output, rather than the return code (see https://dev.gnupg.org/T1537#100523 and other related discussion about why the return code is not reliable for what you typically want to find out from gpgv). In addition, the verification of InRelease is potentially buggy, because the processing of the inline signature doesn't verify the *contents* of the signature -- there could be additional data above or below the signature -- or multiple things signed. So any verification like that needs to probably use the gpgv --output flag, and stash (or compare) the output to Release itself. (or sometihng like that, i confess i don't follow all the logic in debmirror for signature-verification yet) --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages debmirror depends on: ii bzip2 1.0.6-9 pn libdigest-md5-perl <none> pn libdigest-sha-perl <none> ii liblockfile-simple-perl 0.208-1 pn libnet-perl <none> ii libwww-perl 6.36-1 ii perl 5.28.1-3 ii rsync 3.1.2-2.2 ii xz-utils 5.2.2-1.3 Versions of packages debmirror recommends: ii ed 1.14.2-2 ii gpgv 2.2.12-1 ii patch 2.7.6-3 Versions of packages debmirror suggests: ii gnupg 2.2.12-1 -- no debconf information
--- End Message ---
--- Begin Message ---Source: debmirror Source-Version: 1:2.31 We believe that the bug you reported is fixed in the latest version of debmirror, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated debmirror package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 28 Jan 2019 11:41:12 +0000 Source: debmirror Architecture: source Version: 1:2.31 Distribution: unstable Urgency: medium Maintainer: Colin Watson <[email protected]> Changed-By: Colin Watson <[email protected]> Closes: 904927 918304 Changes: debmirror (1:2.31) unstable; urgency=medium . [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/changelog: Remove trailing whitespaces . [ Colin Watson ] * Fetch Packages-all and Contents-all if they exist (closes: #904927). * Fix mirroring of suites that have InRelease but not Release.gpg. * Improve GPG verification: accept a signature file as long as there's at least one good signature from a trusted key, and borrow code from APT to explicitly verify the structure of InRelease files (closes: #918304). Checksums-Sha1: 228c3bfbde1ad55024599da166679d37dd09767d 1665 debmirror_2.31.dsc 9673388fa77501b56f1ea45d14db0df6c39dc9e8 54764 debmirror_2.31.tar.xz a123593f0ecb4142d9dc8d8cc1ae739840137e4b 7109 debmirror_2.31_source.buildinfo Checksums-Sha256: fb754acde599f5ef0c499d25231d9ed4915d7f9c1cc941da2f66a65ebb8aaae2 1665 debmirror_2.31.dsc 4ead621f019b7883a218a70449f9694822b2b292fa8099c264f782a2100b44f7 54764 debmirror_2.31.tar.xz 9135d57f42d3b0d792f2af20aea9099818ad68c17479b0bf4c2225f0f4558282 7109 debmirror_2.31_source.buildinfo Files: ba7dfefcb42eb9faccee833e8607cc68 1665 net optional debmirror_2.31.dsc 4866887b9095ed1800cc3680a35086f8 54764 net optional debmirror_2.31.tar.xz f3c3e5a2b01fec04bd719e013f4d0e72 7109 net optional debmirror_2.31_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlxO6mIACgkQOTWH2X2G UAtXhQ/9E0xFp1JGg7txjj6JyHoMM8zmjyoIa1OnK/MXH6M5769x7Q61Ce/oKB5K SEQBcjjIaKNrxrzHD+2Dcg6mRD2NQHW/BDarScIIpjO6XTzFc3xF1vXc+bZ9GATi aTJHXN8FU5kH0f8hv6eoi40IbGpVXUvg0SIslIgDA6pDdhUbl5x9cK4L+1RH8IH3 CzmRHJ5njAT/Q3QTAKcmK8Eg53i2KxRyjWpz3nHbz9jP/okugsLcVT/l5B1OlV7t flk9O0wZGiJ5sEDuN3hq2lqLiyah385QVNjiM6E4R8miIQ+Bwl+wS2CPcv9agxzX UGeBxP0AOTL8ZwbNVEcgTjrLkdy+y7HbUshukbcGrQMHVs/lOeOstZfmZsucJdku cLgJ7JOpbl+EbFinpN213vpmmeJ6PEW+BsrmNzpnqro9qPeH+U3ORGTjphjrKAX/ FlmdKB3bL26jRsxZvbAWwvdyRvJ5ppilF/pLdQjNdmcXO1uPpDJT+lGZfAt/46l5 pRukqeiI60d3h9wMjY/FMBwg3G8lf+lM5Vtlyp0is2z+5HwwAXQhT4V7R5U7iGOM A9zI+08ZfDsMlla0skB8fOkAxNKAB+KAyLP+fiMsU+7zggqpli967K9r/8mfgizZ DKU6fIGgy6+gr+tj1bw4/E7oyJtl/3bjCwONEOKsPQIE8Opm1Vs= =qD36 -----END PGP SIGNATURE-----
--- End Message ---
