Control: tag -1 - moreinfo Control: reassign -1 apt-listdifferences Control: retitle -1 apt-listdifferences: Indirectly calls dpkg-source w/o --no-check
[ Replying to the initial report for some context. ] Hi! On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > Package: dpkg > Version: 1.21.9 > Severity: normal > X-Debbugs-Cc: tmcconnell...@gmail.com > What led up to the situation? Normal upgrading of system > > What exactly did you do (or not do) that was effective (or ineffective)? > Unsure > these messages started appearing. > > What was the outcome of this action? I now receive multiple lines of: gpgv: > Signature made Fri 24 Oct 2014 06:23:17 PM CDT > gpgv: using RSA key F664D256B4691A7D > gpgv: Can't check signature: No public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc > gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT > gpgv: using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.93-1.dsc > gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT > gpgv: using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.94-1.dsc > apt-listdifferences: removing old src:r-cran-quantreg 5.93-1 > gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT > gpgv: using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-3.dsc > gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT > gpgv: using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-4.dsc > > When running this command `apt-get dist-upgrade -y -m` > > What outcome did you expect instead? To be sure I'm getting packages from an > uncompromised repo. The problem here in the end was (confirmed off-BTS) that apt-listdifferences is installed on the system, which downloads the source packages for binary packages being upgraded to debdiff them. But those source packages had been signed with a weak algorithm, which is rejected by dpkg-source (even though that command defaults to warning only). Because when downloading the source packages from the archive, they have switched their trust anchor from the uploader to the archive, which takes care of key (re)signing, expiration and rotation, checking the signatures in the .dsc can be more confusing than helpful. (This would be a different matter if the .dsc reached the system through some other means such as scp or sneaker net or whatever). So, ideally apt-listdifferences would call debdiff and request for it to pass --no-check to dpkg-source. But there is currently no such option. I'll file another report, and block this one with that other one. Thanks, Guillem
