Control: reassign -1 dpkg-dev 1.21.9 Control: tag -1 moreinfo Hi!
On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > Package: dpkg > Version: 1.21.9 > Severity: normal > X-Debbugs-Cc: tmcconnell...@gmail.com > What led up to the situation? Normal upgrading of system > > What exactly did you do (or not do) that was effective (or ineffective)? > Unsure > these messages started appearing. > > What was the outcome of this action? I now receive multiple lines of: gpgv: > Signature made Fri 24 Oct 2014 06:23:17 PM CDT > gpgv: using RSA key F664D256B4691A7D > gpgv: Can't check signature: No public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc > gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT > gpgv: using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.93-1.dsc > gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT > gpgv: using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.94-1.dsc > apt-listdifferences: removing old src:r-cran-quantreg 5.93-1 > gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT > gpgv: using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-3.dsc > gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT > gpgv: using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-4.dsc > > When running this command `apt-get dist-upgrade -y -m` I assume you have something installed that downloads source packages (and perhaps builds them) as part of the upgrade? Otherwise that seems uncommon. In any case… > What outcome did you expect instead? To be sure I'm getting packages from an > uncompromised repo. … assuming you are getting the source packages from a Debian repository, those should have the repository mataindices signed by the archive keys, which get rotated and updated when necessary, in contrast to the source package signatures which are created by the person uploading the source package (and never updated anymore). As such those latter signatures (when later verified after the archive did the initial verification on upload) can very easily come from now revoked or expired keys or from keys for people that are no longer members of the project and are thus not present in the keyrings, the signatures can be expired themselves, they might come from keys or signatures which are now considered weak, which is what happens to be the case here. These signatures use SHA1 as a hashing algorithm which is no longer considered secure and get rejected. For the above reasons apt passes --no-check to dpkg-source, and dpkg-source does not default to erroring out (unless passing to it --require-valid-signature), as can be seen from the warnings (not errors) shown above. So I see no dpkg bug here, perhaps whatever is calling dpkg-source should also be passing --no-check (if it can guarantee the source came from a verified repo). Otherwise I'll be closing this in a bit. Thanks, Guillem
