Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote: On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote: On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote: Fwiw, the Release.gpg file contains two signatures now, both one with the 2005 key and the 2006 key, to have a short transition period. The archive still validates with the 2005 key, which isn't expired yet, and I think APT should not spread too worrysome errors at users while the archive can still be verified. Not to contradict you, since my understanding of these issues is strongly limited, but apt seems to think that it cannot validate the archive? I know, I said should, because I believe apt should deal with the multiple signatures correctly, instead of the current behaviour of (it seems) only looking at the last one and/or requiring all signatures to verify. Apt needs to be satisfied with just at least one of the multiple signatures verifying, so that there can be turnover periods, and for example third party repositories can have multiple signatures too, for certain circumstances. Sorry for the late reply. I'm working on fixing the gpgv method to properly support multiple signatures right now and will (hopefully) do a upload really soon. Cheers, Michael -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote: Fwiw, the Release.gpg file contains two signatures now, both one with the 2005 key and the 2006 key, to have a short transition period. The archive still validates with the 2005 key, which isn't expired yet, and I think APT should not spread too worrysome errors at users while the archive can still be verified. Not to contradict you, since my understanding of these issues is strongly limited, but apt seems to think that it cannot validate the archive? Running: su -c apt-get upgrade [...] The following packages will be upgraded: liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip [...] WARNING: The following packages cannot be authenticated! libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors If understand that the whole release is what is signed, and that then the urls in the release are therefore trusted (I assume with md5 checksum), then it seems APT does not beleive the release is signed with the 2005 key, or does not know how to 'fall back' to the 2005 key. -josh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
I came across the same error this morning. The part that was rather frustrating is that I had no idea where to find the new key. Only by returning to the bug report (where Joey H provided a link) was I able to find it. http://ftp-master.debian.org/ziyi_key_2006.asc Most users do not think to check ftp-master. It would be nice to update the following places (where I looked for the new key and found none): * http://www.debian.org/security/faq There's a link to the old key under Q: How can I check the integrity of packages? * keyring.debian.org I tried to download the new key from the above key server using the key id and found none. Also, 'apt-key update' gives one the impression that the problem is easily fixable but it leads to disappointment. # apt-key update ERROR: Can't find the archive-keyring Is the debian-keyring package installed? After installing debian-keyring, the same error occurs (presumably because of changed filenames?). I suspect the new public key is not in the debian-keyring package anyway. Regards, Ed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote: On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote: Fwiw, the Release.gpg file contains two signatures now, both one with the 2005 key and the 2006 key, to have a short transition period. The archive still validates with the 2005 key, which isn't expired yet, and I think APT should not spread too worrysome errors at users while the archive can still be verified. Not to contradict you, since my understanding of these issues is strongly limited, but apt seems to think that it cannot validate the archive? I know, I said should, because I believe apt should deal with the multiple signatures correctly, instead of the current behaviour of (it seems) only looking at the last one and/or requiring all signatures to verify. Apt needs to be satisfied with just at least one of the multiple signatures verifying, so that there can be turnover periods, and for example third party repositories can have multiple signatures too, for certain circumstances. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
Am Mittwoch, den 04.01.2006, 03:47 -0800 schrieb Edward Buck: xpost to #345823 and #316344 [..] I tried to download the new key from the above key server using the key id and found none. Also, 'apt-key update' gives one the impression that the problem is easily fixable but it leads to disappointment. # apt-key update ERROR: Can't find the archive-keyring Is the debian-keyring package installed? After installing debian-keyring, the same error occurs (presumably because of changed filenames?). I suspect the new public key is not in the debian-keyring package anyway. Yes. It is more than only a bit disappointing, that this bug is still unfixed. There are at least 6 or 7 open bugs reports (the oldest with an age of 188 days), talking about this problem. So a question to the apt and debian-keyring maintainers: What about - updating debian-role-keys.gpg to contain the 2006 archiv key - fixing apt-key to not try to read non-existing keyrings and instead read debian-role-keys.gpg - instead trying to remove all keys found in the non-existing debian-archive-removed-keys.gpg, remove all keys, being expired and found in debian-role-keys.gpg - let apt-key update the keyring 1 month before the key expires (needs updating the debian-role-keys.gpg also one month before a role key expires) OR - add the missing /usr/share/keyrings/debian-archive-keyring.gpg and /usr/share/keyrings/debian-archive-removed-keys.gpg now Are there concerns or objections? Regards, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
I use aptitude and I'm sure I don't know all the ins and outs here. But I do have a suggestion for your consideration: Stop signing the archives with the 2006 key for now. That will allow those who have been using the 2005 key to continue getting updates. After you have your fixes in place -- and the users have updated their systems with those fixes -- then you can add the 2006 key back in for archive-signing purposes. Maybe you would wait until Feb 1 to start using the 2006 key, for the sake of those who don't update their systems daily. Again, I admittedly don't know all of the ramifications. I hope that you will, as a part of your fixes, enable users' copies of apt/keyrings to automatically be updated to use the 2006 key based on trust of the 2005 key which they are already using. That would be good for those who don't know about http://ftp-master.debian.org/ziyi_key_2006.asc. Thank you for considering these possibilities. Rodger Williams ___ No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]