Package: apt
Version: 1.4~rc2
Severity: important
Hello,
I found the Signed-By option in sources.list(5) and thought this would be useful
to try. I set it up with a fingerprint of the key that signed a repository. I
then did an 'apt update' (or 'apt-get update', I tried both) and things went
well. Then I decided to try and flip some bits in the fingerprint and see what
happened. Turns out that nothing happens, apt proceeded without any complaint
whatsoever. :(
The documentation reads:
If the option is set, only the key(s) in this keyring or only the keys with
these fingerprints are used for the apt-secure(8) verification of this
repository.
I also attempted a package installation and that didn't complain either.
This is the format I used:
deb http://deb.leap.se/debian sid main Signed-By:
2f483BbCE87BEE2F7DFE99661E34A1828E203901
(the key fingerprint there is incorrect).
micah
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.115
ii debian-archive-keyring 2014.3
ii gpgv2.1.18-6
ii init-system-helpers 1.47
ii libapt-pkg5.0 1.4~rc2
ii libc6 2.24-9
ii libgcc1 1:6.3.0-8
ii libstdc++6 6.3.0-8
Versions of packages apt recommends:
ii gnupg 2.1.18-6
ii gnupg1 1.4.21-3
ii gnupg2 2.1.18-6
Versions of packages apt suggests:
pn apt-doc
ii aptitude0.8.5-1
ii dpkg-dev1.18.22
ii powermgmt-base 1.31+nmu1
ii python-apt 1.4.0~beta2
-- no debconf information