Bug#757533: debian-archive-keyring: source package signed by removed key
On 2014-08-09 1:19, Michael Gilbert wrote: On Fri, Aug 8, 2014 at 7:52 PM, Cyril Brulebois wrote: The archive keyring package is currently signed by Philip Kern's old removed key. Since this package contains the keys to archive, it really needs a valid signature. $ apt-get source debian-archive-keyring --download-only Well, surely this is using the apt cache, with Release files and GPG signatures all over the place… Release files signed by the keys that were signed by the removed key. For stable, that's partially accurate, as the wheezy stable release key is indeed signed by Phil's old key. It is, however, also signed by my, very much current, key and Phil's new key. However, stable's Release file is also co-signed by, and = testing are _only_ signed by, the ftp-master key, for which: adsb@franck:~$ gpg --keyring /srv/keyring.debian.org/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --list-sigs 46925553 pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] uid Debian Archive Automatic Signing Key (7.0/wheezy) ftpmas...@debian.org sig 346925553 2012-04-27 Debian Archive Automatic Signing Key (7.0/wheezy) ftpmas...@debian.org sig 37E7B8AC9 2012-04-27 [User ID not found] sig 3 PB12525C4 2012-04-27 Joerg Jaspert jo...@debian.org sig A3AE44A4 2012-04-27 Michael O'Connor (stew) s...@vireo.org sig CA1CF964 2012-04-27 Ansgar Burchardt ans...@debian.org sig 15B0FD82 2012-04-27 Mark Hymers m...@debian.org sig 672C8B12 2012-04-28 [User ID not found] none of the sigs belong to the Release Team. It's M.C. Escher painting kind of situation, and I'm being rather pedantic, but then again, it's simply good hygiene. Pedantry != release-criticality. (Also, I don't see why this particular source package would be special and would need a specific handling as far as its signature goes.) Other bad sigs in the archive should also get cleaned up. I need do a more complete analysis of bad sigs and also do a -devel MBF discussion. It might have been nice to have done that step first.. :-( Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#757533: debian-archive-keyring: source package signed by removed key
severity 757533 normal thanks On Fri, Aug 08, 2014 at 07:41:11PM -0400, Michael Gilbert wrote: The archive keyring package is currently signed by Philip Kern's old removed key. Since this package contains the keys to archive, it really needs a valid signature. The key has neither been revoked nor compromised. It just cannot be used for new uploads nor to authenticate to Debian's systems. So I completely disagree with the inflated severity you laid out here (and potential MBFs). We will update the package with the new Jessie key soon, though, which should fix this issue as the package will need to be backported. Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#757533: debian-archive-keyring: source package signed by removed key
On 2014-08-09 0:41, Michael Gilbert wrote: The archive keyring package is currently signed by Philip Kern's old removed key. Slightly tangentially, you mean Philipp. Regards, Aam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#757533: debian-archive-keyring: source package signed by removed key
package: src:debian-archive-keyring severity: serious version: 2012.4 tags: security The archive keyring package is currently signed by Philip Kern's old removed key. Since this package contains the keys to archive, it really needs a valid signature. $ apt-get source debian-archive-keyring --download-only $ dpkg-source -x --require-valid-signature debian-archive-keyring_2012.4.dsc gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8 gpgv: Can't check signature: public key not found dpkg-source: error: failed to verify signature on ./debian-archive-keyring_2012.4.dsc Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#757533: debian-archive-keyring: source package signed by removed key
Michael Gilbert mgilb...@debian.org (2014-08-08): package: src:debian-archive-keyring severity: serious version: 2012.4 tags: security The archive keyring package is currently signed by Philip Kern's old removed key. Since this package contains the keys to archive, it really needs a valid signature. $ apt-get source debian-archive-keyring --download-only Well, surely this is using the apt cache, with Release files and GPG signatures all over the place… $ dpkg-source -x --require-valid-signature debian-archive-keyring_2012.4.dsc gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8 gpgv: Can't check signature: public key not found dpkg-source: error: failed to verify signature on ./debian-archive-keyring_2012.4.dsc which makes this extra check moot? (Also, I don't see why this particular source package would be special and would need a specific handling as far as its signature goes.) Mraw, KiBi. signature.asc Description: Digital signature
Bug#757533: debian-archive-keyring: source package signed by removed key
On Fri, Aug 8, 2014 at 7:52 PM, Cyril Brulebois wrote: The archive keyring package is currently signed by Philip Kern's old removed key. Since this package contains the keys to archive, it really needs a valid signature. $ apt-get source debian-archive-keyring --download-only Well, surely this is using the apt cache, with Release files and GPG signatures all over the place… Release files signed by the keys that were signed by the removed key. It's M.C. Escher painting kind of situation, and I'm being rather pedantic, but then again, it's simply good hygiene. (Also, I don't see why this particular source package would be special and would need a specific handling as far as its signature goes.) Other bad sigs in the archive should also get cleaned up. I need do a more complete analysis of bad sigs and also do a -devel MBF discussion. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
