Bug#856408: apt: Signed-By does nothing

2017-03-01 Thread micah anderson 
Julian Andres Klode  writes:

>> deb http://deb.leap.se/debian sid main Signed-By: 
>> 2f483BbCE87BEE2F7DFE99661E34A1828E203901
>
> That's invalid syntax. It should look like these:
>
> deb [signed-by=BBEBDCB318AD50EC6865090613B00F1FD2C19886] 
> http://repository.spotify.com stable non-free

Thanks, I totally missed the format details in the man page before!

> deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg 
> target-=Contents-deb] http://deb.debian.org/debian/ experimental main contrib 
> non-free

I'm very curious about this "target-=Contents-deb" option. I see the
section in sources.list(5) saying that this is an option to indicate
what download targets apt will try to acquire from this source. My
understanding is that the -= means that this modifies the default value
to remove the given value so it wont be acquired.

However, I don't quite get what this configuration is intended to do,
why would you indicate that you do not want to download the Contents-deb
files. Would you do that just to speed up apt updates?

thanks!
micah

Bug#856408: apt: Signed-By does nothing

2017-02-28 Thread micah 
Package: apt
Version: 1.4~rc2
Severity: important

Hello,

I found the Signed-By option in sources.list(5) and thought this would be useful
to try. I set it up with a fingerprint of the key that signed a repository. I
then did an 'apt update' (or 'apt-get update', I tried both) and things went
well. Then I decided to try and flip some bits in the fingerprint and see what
happened. Turns out that nothing happens, apt proceeded without any complaint
whatsoever. :(

The documentation reads:

If the option is set, only the key(s) in this keyring or only the keys with
these fingerprints are used for the apt-secure(8) verification of this
repository.

I also attempted a package installation and that didn't complain either.

This is the format I used:

deb http://deb.leap.se/debian sid main Signed-By: 
2f483BbCE87BEE2F7DFE99661E34A1828E203901

(the key fingerprint there is incorrect).

micah

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser 3.115
ii  debian-archive-keyring  2014.3
ii  gpgv2.1.18-6
ii  init-system-helpers 1.47
ii  libapt-pkg5.0   1.4~rc2
ii  libc6   2.24-9
ii  libgcc1 1:6.3.0-8
ii  libstdc++6  6.3.0-8

Versions of packages apt recommends:
ii  gnupg   2.1.18-6
ii  gnupg1  1.4.21-3
ii  gnupg2  2.1.18-6

Versions of packages apt suggests:
pn  apt-doc 
ii  aptitude0.8.5-1
ii  dpkg-dev1.18.22
ii  powermgmt-base  1.31+nmu1
ii  python-apt  1.4.0~beta2

-- no debconf information