[Aptitude-devel] Bug#877948: aptitude: false error: "The following signatures were invalid" (gpg con good)

Anonymous anonymous at hoi-polloi.org
Sat Oct 7 15:12:24 UTC 2017 

Package: aptitude
Version: 0.6.11-1+b1
Severity: normal

Dear Maintainer,

There are two repositories which are blocked from "aptitude update" on
the basis of "invalid signature", when in fact gpg reports the
signatures are valid.

* 1st package: gc2latex *

  To reproduce, these steps are taken:

    1) apt-key adv --recv-key 0x5145B9CD752C0197
    2) gpg --keyring /etc/apt/trusted.gpg --edit-key 0x5145B9CD752C0197 trust
    3) Selected full trust ("4")

  To prove that gpg find the signature good:

  $ gpg --verify --keyring /etc/apt/trusted.gpg <(curl -s http://wertarbyte.de/apt/Release.gpg) <(curl -s http://wertarbyte.de/apt/Release)

  results in:

    gpg: Signature made Wed 25 May 2011 11:15:52 PM CEST
        gpg:                using DSA key 5145B9CD752C0197
        gpg: Good signature from "Wertarbyte.de (Software Signing Key) <kontakt at wertarbyte.de>" [unknown]
        gpg: WARNING: This key is not certified with a trusted signature!
        gpg:          There is no indication that the signature belongs to the owner.
        Primary key fingerprint: CC49 F74C 816C 499C 899A  4288 5145 B9CD 752C 0197

  This is the deb line in sources.list:

    deb http://wertarbyte.de/apt/ ./
 
  When doing "aptitude update", the output is:

    W: GPG error: tor+http://wertarbyte.de/apt ./ Release: The following signatures were invalid: CC49F74C816C499C899A42885145B9CD752C0197
    E: The repository 'tor+http://wertarbyte.de/apt ./ Release' is not signed.
    E: Failed to download some files

* 2nd package: pwsafe *

  It's the same problem for pwsafe, which has the sources.list entry:
  
    deb http://packages.steve.org.uk/pwsafe/jessie/ ./

  the gpg key of which can be installed this way:
  
    wget -O - http://packages.steve.org.uk/pwsafe/apt-key.pub | apt-key add -

Note the version info below is on Jessie, but the same problem occurs on recent versions in Stretch.

-- Package-specific info:
Terminal: screen
$DISPLAY is set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.6.11 compiled at Nov  8 2014 13:34:39
Compiler: g++ 4.9.1
Compiled against:
  apt version 4.12.0
  NCurses version 5.9
  libsigc++ version: 2.4.0
  Gtk+ support disabled.
  Qt support disabled.

Current library versions:
  NCurses version: ncurses 5.9.20140913
  cwidget version: 0.5.17
  Apt version: 4.12.0

aptitude linkage:
	linux-vdso.so.1 (0x00007fff97679000)
	/usr/lib/torsocks/libtorsocks.so (0x00007f7d01765000)
	libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 (0x00007f7d013f5000)
	libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 (0x00007f7d011bf000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f7d00f95000)
	libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 (0x00007f7d00d8f000)
	libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 (0x00007f7d00a79000)
	libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f7d007b0000)
	libboost_iostreams.so.1.55.0 => /usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007f7d00598000)
	libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007f7d00187000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7cfff6a000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f7cffc5f000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7cff95e000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f7cff748000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7cff39d000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f7cff199000)
	libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f7cfef96000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f7cfed7b000)
	libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f7cfeb6b000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f7cfe948000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f7cfe740000)
	libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f7cfe53b000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f7d01fca000)

-- System Information:
Debian Release: 8.6
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages aptitude depends on:
ii  aptitude-common           0.6.11-1
ii  libapt-pkg4.12            1.0.9.8.3
ii  libboost-iostreams1.55.0  1.55.0+dfsg-3
ii  libc6                     2.19-18+deb8u6
ii  libcwidget3               0.5.17-2
ii  libgcc1                   1:4.9.2-10
ii  libncursesw5              5.9+20140913-1+b1
ii  libsigc++-2.0-0c2a        2.4.0-1
ii  libsqlite3-0              3.8.7.1-1+deb8u2
ii  libstdc++6                4.9.2-10
ii  libtinfo5                 5.9+20140913-1+b1
ii  libxapian22               1.2.19-1+deb8u1

Versions of packages aptitude recommends:
ii  aptitude-doc-en [aptitude-doc]  0.6.11-1
ii  libparse-debianchangelog-perl   1.2.0-1.1
ii  sensible-utils                  0.0.9

Versions of packages aptitude suggests:
ii  apt-xapian-index  0.47
pn  debtags           <none>
ii  tasksel           3.31+deb8u1

-- no debconf information

More information about the Aptitude-devel mailing list