Bug#928703: simple-cdd: Wheezy expired key in debian-archive-keyring.gpg causes simple-cdd to fail with reprepro

Thu, 09 May 2019 01:41:25 -0700 

Source: simple-cdd
Version: 0.6.5
Severity: important

In /usr/share/simple-cdd/tools/mirror/reprepro, a repository is
initialized to mirror your target distributions, and its "distributions"
configuration file contains lines like: 

  VerifyRelease: ${verify_release_keys}

This basically tells reprepro to *verify* the Release files when
assembling the mirror, using the key listed in ${verify_release_keys};
that variable is constructed by dynamically extracting keys from
simple-cdd's keyring, which defaults to:

  /usr/share/keyrings/debian-archive-keyring.gpg

On Stretch, this file contains the following expired wheezy key:

  pub   rsa4096 2012-05-08 [SC] [expired: 2019-05-07]
      ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
  uid [ expired] Wheezy Stable Release Key <debian-rele...@lists.debian.org>


Since a single expired key in a VerifyRelease line is enough for
reprepro to refuse to perform any verification, any image creation
fails; it doesn't matter what distribution your image targets:

  ERROR reprepro: updating package lists: VerifyRelease condition 
'6FB2A1C265FFB764|8B48AD6246925553|...'
  ERROR reprepro: updating package lists: (To use it anyway, append it with a 
'!' to force usage).
  ERROR reprepro: updating package lists: There have been errors!
  ERROR reprepro failed with exit code: 255

Removing the key from /usr/share/keyrings/debian-archive-keyring.gpg of
course fixes the issue, but a more proper workaround involves passing
simple-cdd a dedicated, pruned keyring:

  cp /usr/share/keyrings/debian-archive-keyring.gpg ~/
  apt-key --keyring ~/debian-archive-keyring.gpg del 
ED6D65271AACF0FF15D123036FB2A1C265FFB764
  simple-cdd [...] --keyring ~/debian-archive-keyring.gpg [...]

A proper patch to /usr/share/simple-cdd/tools/mirror/reprepro would
probably involve checking each key's expiration date, and appending "!"
to it if necessary.

Cheers,

-- 
Seb

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-3-amd64 (SMP w/36 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_DIE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to