[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
Currently apt-key del can be called with a given key to remove it w/o having to check if it's in the database. Reporting an error would likely break existing packages. ** Changed in: apt (Ubuntu) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Won't Fix Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
Just as a side note: 1) apt-key via debootstrap is currently broken on Bionic anyway (gpgv1 to gpgv2 side effects probably), see https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1767319 2) apt-key seems to be deprecated and should not be used any more on newer systems, so maybe the bug is a good starter for enforcing deprecation after bionic: https://lists.gnupg.org/pipermail/gnupg- users/2018-May/060428.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Triaged Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
Confirmed on xenial: root@ubuntu:~# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS" root@ubuntu:~# apt-key list|grep -A3 ownCloud uid ownCloud build service sub 2048R/8DE365D9 2013-08-26 [expires: 2018-08-25] sub 2048D/86EB6027 2013-08-26 [expires: 2018-08-25] sub 2048g/1722EF54 2013-08-26 [expires: 2018-08-25] root@ubuntu:~# apt-key del 8DE365D9 OK root@ubuntu:~# apt-key list|grep -A3 ownCloud uid ownCloud build service sub 2048R/8DE365D9 2013-08-26 [expires: 2018-08-25] sub 2048D/86EB6027 2013-08-26 [expires: 2018-08-25] sub 2048g/1722EF54 2013-08-26 [expires: 2018-08-25] root@ubuntu:~# -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Triaged Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
Can confirm this is still apparent in 17.10 and affects me -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Triaged Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
** Changed in: apt (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Triaged Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
David, the CVE would be strictly for reporting "OK" to a delete command that did not actually delete anything. When an admin tries to remove a trusted key, the tools should either report success when it does, or failure when it cannot. I'm worried about the "apt-key adv --recv-key" issue; that's certainly not mentioned in the manpages the last few times I've used this. We should remove this advice from the manpage or provide a warning that it is not safe to use this, despite previous recommendations. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
> Does this issue have a CVE assigned yet? Does it have a Debian bugreport yet? It has neither and it needs neither in my humble opinion. The longid issue had its own bugreport in Debian (#754436) which used the included patch (more or less) for Jessie while the 1.1 series (at that time already) had apt-key rewritten fixing this among other things. The unblock request back then mentions explicitly the inability of apt/jessie to work with fingerprints at the benefit of not introducing untested changes late in the release process. As already mentioned 1.1 in Debian (and Ubuntu) supports fingerprints just fine, so there isn't anything left to be done for Debian. In the end, "apt-key del" is supposed to be used only to get away from using apt-key as what you are supposed to be doing is ship your own -keyring package which contains a /etc/apt/trusted.gpg.d/ fragment file instead of using "apt-key add /path/to/file" to add your key to a central file (from which you have to delete it again on remove with "apt-key del"). I doubt the chances to have collision even with shortids among archive keyrings in the wild is high. With longids its even less likely. And what exactly is to be gained by such a collision given that all you get is to take another key (you collision with) with you at the time your maintainerscript (run with root rights I have to add) removes it… [That "apt-key del" isn't failing and can't be changed to do it if it hasn't removed a key is btw based on the problem that its mostly called by maintainerscript, which don't ignore failures] If on the other hand you happen to think you could revert a "apt-key adv" command like "--recv-key" with a "apt-key del" you are wrong as it isn't safe to fetch a key directly into an always trusted keyring to begin with (mainly as you can't be sure that gpg is actually inserting the key you wanted it to and no amount of fingerprint is helping here). See this subthread (and followups) for the written affirmation of Debians gnupg maintainer(s) that you can't: https://lists.alioth.debian.org/pipermail/pkg-gnupg- maint/2015-August/002802.html [just so you don't have to "just trust me" on this]. So, in summary, I believe that the chance that you have a security bug on your(!) side based on the idea that you need a fingerprint in this scenario to interact with apt-key is a lot higher than the chance to encounter a collision even on short keyids in this scenario. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
Does this issue have a CVE assigned yet? Does it have a Debian bugreport yet? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
I also was not able to recreate this on xenial. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1481871] Re: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats
** Summary changed: - apt-key del silenty fails to delete keys due to limited understanding of GPG key ID formats + apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1481871 Title: apt-key del silently fails to delete keys due to limited understanding of GPG key ID formats Status in apt package in Ubuntu: Confirmed Bug description: Description: Ubuntu 14.04.3 LTS Release: 14.04 apt: Installed: 1.0.1ubuntu2.10 apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here apt-key del 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still here # Works fine with IDs apt-key del 0E27C0A6 apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing exported # Works fine with fingerprint on Precise To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp