On Thu, Jun 20, 2024 at 12:39:39PM GMT, Julian Andres Klode wrote: > Control: reassign -1 gpgv-from-sq > Control: affects -1 apt > Control: severity -1 serious > > On Wed, Jun 19, 2024 at 09:59:52AM GMT, Pti Zoom wrote: > > Package: apt > > Version: 2.9.5 > > Followup-For: Bug #896834 > > > > Dear Maintainer, > > > > *** Reporter, please consider answering these questions, where appropriate > > *** > > > > *_InRelease files fails signing, > > > > since 17/06/2024, > > > > when upgraded unstable gpgv to 2.2.43-{6,7} ! > > > > then the package updates are quite stalled. > > > > oh dear...should have listened to gpgv package maintainer instead of madly > > upgrading.... > > > > symptoms are also similare to bug... > > > > #896834 /usr/bin/apt-key: apt-key fails in an lxc environment after > > upgrade to stretch > > > > which from ... > > > > apt -o Debug::Acquire::gpgv=1 update > > > > gives... > > > > "... > > inside VerifyGetSigners > > ... > > Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd > > 3 /tmp/apt.sig.dQFfP7 /tmp/apt.data.mOm9vr > > ... > > 0% [Working]gpgv exited with status 1 > > > > > > > > Summary: > > Good: > > Valid: > > Bad: > > Worthless: > > SoonWorthless: > > NoPubKey: > > Signed-By: > > NODATA: no > > Err:3 http://deb.debian.org/debian stable InRelease > > At least one invalid signature was encountered. > > ... > > Warning: An error occurred during the signature verification. The > > repository is not updated and the previous index files will be used. GPG > > error: http://deb.debian.org/debian stable InRelease: At least one invalid > > signature was encountered. > > ..." > > > > etc... > > > > maybe I shall downgrade to gpgv 2.2.40-1.1+b3 or is there a better setting > > for gpgv ? > > The culprit is gpgv-from-sq as DonKult said, and it is: > > jak@jak-t14-g3:~:master$ apt-key verify --keyring > /usr/share/keyrings/ubuntu-archive-keyring.gpg > /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease > gpgv: error: While parsing rule "ed448" > gpgv: because: Invalid argument: Unknown public key algorithm: ed > > So now it claims it accepts the argument but then it complains about > unknown public key algorithms. You can verify manually with something > like: > > jak@jak-t14-g3:~:master$ gpgv --assert-pubkey-algo ">=rsa2048,ed25519,ed448" > --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg > /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease > gpgv: error: While parsing rule "ed448" > gpgv: because: Invalid argument: Unknown public key algorithm: ed > > (Adjusted for your sources, I'm testing Ubuntu :D) > > There are two bugs here: > > 1. sq strips the numerical bit from ed448, pretending it is a size. Maybe it > doesn't support ed448? > 2. sq fails on unknown algorithms, when it should silently ignore them. These > are not safety critical, it is an allow list after all. If it doesn't > support > ed448 the right place to fail is when it actually encounters an ed448 > signature. >
I want to reiterate what I said upstream: We strongly need this feature, we have a _temporary_ workaround in place, but this is not a long term solution, but rather a release critical bug - we should not release trixie with an APT that is not able to enforce it's crypto policy. Hence we need this implemented in gpgv-from-sq in addition to gpgv from gnupg2, or we need to declare Conflicts: gpgv-from-sq to make sure APT keeps working correctly. We need to talk about gnupg 2.4 too at some point; this or a backport is necessary for the APT feature to work, and I will raise this as an RC bug eventually. Alternatively implementing it just in sq's gpgv implementation and forcing apt to that also would work I suppose and may be the preferable solution for Debian anyhow. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature