[Pkg-rust-maintainers] Bug#896834: /usr/bin/apt-key: also unstable with gpgv 2.2.43-{6, 7} ...
Julian Andres Klode
jak at debian.org
Thu Jun 20 15:31:40 BST 2024
On Thu, Jun 20, 2024 at 12:39:39PM GMT, Julian Andres Klode wrote:
> Control: reassign -1 gpgv-from-sq
> Control: affects -1 apt
> Control: severity -1 serious
>
> On Wed, Jun 19, 2024 at 09:59:52AM GMT, Pti Zoom wrote:
> > Package: apt
> > Version: 2.9.5
> > Followup-For: Bug #896834
> >
> > Dear Maintainer,
> >
> > *** Reporter, please consider answering these questions, where appropriate ***
> >
> > *_InRelease files fails signing,
> >
> > since 17/06/2024,
> >
> > when upgraded unstable gpgv to 2.2.43-{6,7} !
> >
> > then the package updates are quite stalled.
> >
> > oh dear...should have listened to gpgv package maintainer instead of madly upgrading....
> >
> > symptoms are also similare to bug...
> >
> > #896834 /usr/bin/apt-key: apt-key fails in an lxc environment after upgrade to stretch
> >
> > which from ...
> >
> > apt -o Debug::Acquire::gpgv=1 update
> >
> > gives...
> >
> > "...
> > inside VerifyGetSigners
> > ...
> > Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.dQFfP7 /tmp/apt.data.mOm9vr
> > ...
> > 0% [Working]gpgv exited with status 1
> > Summary:
> > Good:
> > Valid:
> > Bad:
> > Worthless:
> > SoonWorthless:
> > NoPubKey:
> > Signed-By:
> > NODATA: no
> > Err:3 http://deb.debian.org/debian stable InRelease
> > At least one invalid signature was encountered.
> > ...
> > Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stable InRelease: At least one invalid signature was encountered.
> > ..."
> >
> > etc...
> >
> > maybe I shall downgrade to gpgv 2.2.40-1.1+b3 or is there a better setting for gpgv ?
>
> The culprit is gpgv-from-sq as DonKult said, and it is:
>
> jak at jak-t14-g3:~:master$ apt-key verify --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease
> gpgv: error: While parsing rule "ed448"
> gpgv: because: Invalid argument: Unknown public key algorithm: ed
>
> So now it claims it accepts the argument but then it complains about
> unknown public key algorithms. You can verify manually with something
> like:
>
> jak at jak-t14-g3:~:master$ gpgv --assert-pubkey-algo ">=rsa2048,ed25519,ed448" --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease
> gpgv: error: While parsing rule "ed448"
> gpgv: because: Invalid argument: Unknown public key algorithm: ed
>
> (Adjusted for your sources, I'm testing Ubuntu :D)
>
> There are two bugs here:
>
> 1. sq strips the numerical bit from ed448, pretending it is a size. Maybe it
> doesn't support ed448?
> 2. sq fails on unknown algorithms, when it should silently ignore them. These
> are not safety critical, it is an allow list after all. If it doesn't support
> ed448 the right place to fail is when it actually encounters an ed448 signature.
>
I want to reiterate what I said upstream: We strongly need this
feature, we have a _temporary_ workaround in place, but this is
not a long term solution, but rather a release critical bug - we
should not release trixie with an APT that is not able to enforce
it's crypto policy.
Hence we need this implemented in gpgv-from-sq in addition to gpgv
from gnupg2, or we need to declare Conflicts: gpgv-from-sq to make
sure APT keeps working correctly.
We need to talk about gnupg 2.4 too at some point; this or a backport
is necessary for the APT feature to work, and I will raise this as
an RC bug eventually. Alternatively implementing it just in sq's gpgv
implementation and forcing apt to that also would work I suppose and
may be the preferable solution for Debian anyhow.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20240620/bca94928/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list