Package: mini-dinstall
Version: 0.7.0
Severity: normal
Tags: patch
Dear Maintainer,
It seems that due to gnupg fussiness, package signature verification
doesn't always work as intended:
mini-dinstall [3082992768] INFO: Booting mini-dinstall 0.7.0
mini-dinstall [3082992768] INFO: Initializing archive indexer local
mini-dinstall [3082992768] INFO: Initializing incoming processor
mini-dinstall [3060816704] INFO: Created new installer thread (incoming)
mini-dinstall [3060816704] INFO: Entering batch mode...
mini-dinstall [3060816704] INFO: Examining
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes"
mini-dinstall [3060816704] INFO: Preparing to install
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes" in
archive local
mini-dinstall [3060816704] INFO: Verifying signature on
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes"
gpgv: keyblock resource '/usr/share/keyrings/debian-keyring.gpg': No such
file or directory
gpgv: keyblock resource '/usr/share/keyrings/debian-keyring.pgp': No such
file or directory
gpgv: Signature made Thu 29 Dec 2022 12:39:08 AWST
gpgv: using RSA key 807A25AE2435E1A4796E638D13E2D69CD37845D8
gpgv: issuer "[email protected]"
gpgv: Good signature from "[email protected]"
mini-dinstall [3060816704] ERROR: Failed to verify signature on
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes": 'gpgv
exited with error code 2'
mini-dinstall [3060816704] INFO: Rejecting
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes":
GPGSigVerificationFailure('gpgv exited with error code 2', b'')
mini-dinstall [3060816704] INFO: Failed to install
"/opt/packages/repo/mini-dinstall/incoming/conf-base_1.1_amd64.changes"
Further debugging shows that it's because gnupg is being super fussy (also,
I don't have debian-keyring installed, which I assume provides the two
keyrings that gpgv is failing to find):
packages@yipyap:~$ /usr/bin/gpgv --keyring
/usr/share/keyrings/debian-keyring.gpg --keyring
/usr/share/keyrings/debian-keyring.pgp --keyring /etc/dpkg/local-keyring.gpg
/opt/packages/repo/mini-dinstall/REJECT/conf-base_1.1_amd64.changes;echo $?
gpgv: keyblock resource '/usr/share/keyrings/debian-keyring.gpg': No such
file or directory
gpgv: keyblock resource '/usr/share/keyrings/debian-keyring.pgp': No such
file or directory
gpgv: Signature made Thu 29 Dec 2022 12:39:08 AWST
gpgv: using RSA key 807A25AE2435E1A4796E638D13E2D69CD37845D8
gpgv: issuer "[email protected]"
gpgv: Good signature from "[email protected]"
2
packages@yipyap:~$ /usr/bin/gpgv --keyring /etc/dpkg/local-keyring.gpg
/opt/packages/repo/mini-dinstall/REJECT/conf-base_1.1_amd64.changes;echo $?
gpgv: Signature made Thu 29 Dec 2022 12:39:08 AWST
gpgv: using RSA key 807A25AE2435E1A4796E638D13E2D69CD37845D8
gpgv: issuer "[email protected]"
gpgv: Good signature from "[email protected]"
0
(yes, my key is in local-keyring.gpg, after eventually working out that
gpgv isn't looking in trustedkeys.kbx (but would have had it not been told
to use the nonexistent keyrings))
I suggest something like the attached patch against DebianSigVerifier.py.
(BTW I notice that the keyrings list gets piped through os.path.expanduser,
but extra_keyrings doesn't)
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'oldstable-updates'), (500, 'oldoldstable'), (500, 'oldstable'), (470,
'stable'), (460, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 5.10.0-17-686-pae (SMP w/1 CPU thread)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mini-dinstall depends on:
ii apt-utils 2.2.4
ii python3 3.9.2-3
ii python3-apt 2.2.1
Versions of packages mini-dinstall recommends:
ii gpgv 2.2.27-2+deb11u2
Versions of packages mini-dinstall suggests:
pn debian-keyring <none>
-- no debconf information
29c29,32
< keyrings = ['/usr/share/keyrings/debian-keyring.gpg',
'/usr/share/keyrings/debian-keyring.pgp']
---
> keyrings = []
> for keyring in ['/usr/share/keyrings/debian-keyring.gpg',
> '/usr/share/keyrings/debian-keyring.pgp']:
> if os.access(keyring, os.R_OK):
> keyrings.append(keyring)
