Bug#1016143: dpkg --audit could report more errors, especially those reported elsewhere already
Package: dpkg Version: 1.20.11 Severity: normal X-Debbugs-Cc: t...@mirbsd.de I had a filesystem corruption (had to run e2fsck -D for some reason, the filesystem was otherwise intact, fresh install) that resulted in… dpkg: unrecoverable fatal error, aborting: files list file for package 'libv4l-0:amd64' is missing final newline … during an apt-get --purge dist-upgrade (which only updated firefox and linux) or rather preventing it. This was not spotted by dpkg --audit, which I had run after the fsck. It probably can easily be added there? -- Package-specific info: -- System Information: Debian Release: 11.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-14-amd64 (SMP w/2 CPU threads) Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages dpkg depends on: ii libbz2-1.0 1.0.8-4 ii libc62.31-13+deb11u3 ii liblzma5 5.2.5-2.1~deb11u1 ii libselinux1 3.1-3 ii tar 1.34+dfsg-1 ii zlib1g 1:1.2.11.dfsg-2+deb11u1 dpkg recommends no packages. Versions of packages dpkg suggests: ii apt2.2.4 pn debsig-verify -- no debconf information
Bug#1016087: apt-listdifferences: Indirectly calls dpkg-source w/o --no-check
Control: tag -1 - moreinfo Control: reassign -1 apt-listdifferences Control: retitle -1 apt-listdifferences: Indirectly calls dpkg-source w/o --no-check [ Replying to the initial report for some context. ] Hi! On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > Package: dpkg > Version: 1.21.9 > Severity: normal > X-Debbugs-Cc: tmcconnell...@gmail.com > What led up to the situation? Normal upgrading of system > > What exactly did you do (or not do) that was effective (or ineffective)? > Unsure > these messages started appearing. > > What was the outcome of this action? I now receive multiple lines of: gpgv: > Signature made Fri 24 Oct 2014 06:23:17 PM CDT > gpgv:using RSA key F664D256B4691A7D > gpgv: Can't check signature: No public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc > gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT > gpgv:using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.93-1.dsc > gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT > gpgv:using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.94-1.dsc > apt-listdifferences: removing old src:r-cran-quantreg 5.93-1 > gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT > gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-3.dsc > gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT > gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-4.dsc > > When running this command `apt-get dist-upgrade -y -m` > > What outcome did you expect instead? To be sure I'm getting packages from an > uncompromised repo. The problem here in the end was (confirmed off-BTS) that apt-listdifferences is installed on the system, which downloads the source packages for binary packages being upgraded to debdiff them. But those source packages had been signed with a weak algorithm, which is rejected by dpkg-source (even though that command defaults to warning only). Because when downloading the source packages from the archive, they have switched their trust anchor from the uploader to the archive, which takes care of key (re)signing, expiration and rotation, checking the signatures in the .dsc can be more confusing than helpful. (This would be a different matter if the .dsc reached the system through some other means such as scp or sneaker net or whatever). So, ideally apt-listdifferences would call debdiff and request for it to pass --no-check to dpkg-source. But there is currently no such option. I'll file another report, and block this one with that other one. Thanks, Guillem
Processed: Re: Bug#1016087: apt-listdifferences: Indirectly calls dpkg-source w/o --no-check
Processing control commands: > tag -1 - moreinfo Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted packages Removed tag(s) moreinfo. > reassign -1 apt-listdifferences Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted packages Bug reassigned from package 'dpkg-dev' to 'apt-listdifferences'. No longer marked as found in versions dpkg/1.21.9. Ignoring request to alter fixed versions of bug #1016087 to the same values previously set > retitle -1 apt-listdifferences: Indirectly calls dpkg-source w/o --no-check Bug #1016087 [apt-listdifferences] dpkg: errors about cannot verify signature fpr assorted packages Changed Bug title to 'apt-listdifferences: Indirectly calls dpkg-source w/o --no-check' from 'dpkg: errors about cannot verify signature fpr assorted packages'. -- 1016087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016087 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1016087: dpkg: errors about cannot verify signature for assorted packages
On Wed, 2022-07-27 at 11:10:13 -0500, tmcconnell...@gmail.com wrote: > >I assume you have something installed that downloads source packages > > (and perhaps builds them) as part of the upgrade? > Gnome Software and I left sources.list pretty much as it came from the > net install CD. Hmm, I've checked gnome-software and I don't see anything obvious there that would cause sources to be downloaded. After looking for something using the /var/cache/apt/sources/ pathname, I've found apt-listdifferences which seems like a matching culprit. Do you happen to have that installed? If so, the problem is that it calls debdiff, which always verifies signatures, even though apt-listdifferences downloaded it from the archive, so there should be no need for that. Then I'd reassign to apt-listdifferences which would need a new option in debdiff to be able to request passing --no-check to dpkg-source. > So I'm getting this because some packages no longer have a maintainer, > that sucks, hope you guys get some more maintainers for those projects. Not necessarily, it might well be that these packages did not get uploaded after these maintainers updated their OpenPGP keys, and have remained with weak signatures. We should probably add some QA check (if there's none yet in place), to catch that, I'll check that out too. Thanks, Guillem
Bug#1016087: dpkg: errors about cannot verify signature for assorted packages
Hi Guillem, >I assume you have something installed that downloads source packages > (and perhaps builds them) as part of the upgrade? Gnome Software and I left sources.list pretty much as it came from the net install CD. So I'm getting this because some packages no longer have a maintainer, that sucks, hope you guys get some more maintainers for those projects. Either way, thanks for the clear explanation of why it's happening and where the warnings are coming from. If it's not really a bug I guess it's okay to close it and sorry for wasting your time. Have a great day! -- On Wed, 2022-07-27 at 12:25 +0200, Guillem Jover wrote: > Control: reassign -1 dpkg-dev 1.21.9 > Control: tag -1 moreinfo > > Hi! > > On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > > Package: dpkg > > Version: 1.21.9 > > Severity: normal > > X-Debbugs-Cc: tmcconnell...@gmail.com > > > What led up to the situation? Normal upgrading of system > > > > What exactly did you do (or not do) that was effective (or > > ineffective)? Unsure > > these messages started appearing. > > > > What was the outcome of this action? I now receive multiple lines > > of: gpgv: > > Signature made Fri 24 Oct 2014 06:23:17 PM CDT > > gpgv: using RSA key F664D256B4691A7D > > gpgv: Can't check signature: No public key > > dpkg-source: warning: cannot verify signature > > /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc > > gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT > > gpgv: using RSA key A1489FE2AB99A21A > > gpgv: Note: signatures using the SHA1 algorithm are rejected > > gpgv: Can't check signature: Bad public key > > dpkg-source: warning: cannot verify signature > > /var/cache/apt/sources/r-cran- > > quantreg_5.93-1.dsc > > gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT > > gpgv: using RSA key A1489FE2AB99A21A > > gpgv: Note: signatures using the SHA1 algorithm are rejected > > gpgv: Can't check signature: Bad public key > > dpkg-source: warning: cannot verify signature > > /var/cache/apt/sources/r-cran- > > quantreg_5.94-1.dsc > > apt-listdifferences: removing old src:r-cran-quantreg 5.93-1 > > gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT > > gpgv: using RSA key > > 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > > gpgv: Note: signatures using the SHA1 algorithm are rejected > > gpgv: Can't check signature: Bad public key > > dpkg-source: warning: cannot verify signature > > /var/cache/apt/sources/kconfig_5.94.0-3.dsc > > gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT > > gpgv: using RSA key > > 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > > gpgv: Note: signatures using the SHA1 algorithm are rejected > > gpgv: Can't check signature: Bad public key > > dpkg-source: warning: cannot verify signature > > /var/cache/apt/sources/kconfig_5.94.0-4.dsc > > > > When running this command `apt-get dist-upgrade -y -m` > > I assume you have something installed that downloads source packages > (and perhaps builds them) as part of the upgrade? Otherwise that > seems > uncommon. In any case… > > > What outcome did you expect instead? To be sure I'm getting > > packages from an > > uncompromised repo. > > … assuming you are getting the source packages from a Debian > repository, those should have the repository mataindices signed by > the > archive keys, which get rotated and updated when necessary, in > contrast > to the source package signatures which are created by the person > uploading > the source package (and never updated anymore). As such those latter > signatures (when later verified after the archive did the initial > verification on upload) can very easily come from now revoked or > expired > keys or from keys for people that are no longer members of the > project > and are thus not present in the keyrings, the signatures can be > expired > themselves, they might come from keys or signatures which are now > considered weak, which is what happens to be the case here. These > signatures use SHA1 as a hashing algorithm which is no longer > considered > secure and get rejected. > > For the above reasons apt passes --no-check to dpkg-source, and > dpkg-source does not default to erroring out (unless passing to it > --require-valid-signature), as can be seen from the warnings (not > errors) shown above. So I see no dpkg bug here, perhaps whatever is > calling dpkg-source should also be passing --no-check (if it can > guarantee the source came from a verified repo). Otherwise I'll be > closing this in a bit. > > Thanks, > Guillem
Bug#1015839: dpkg: Back-port ARC support in stable version
Hi! On Fri, 2022-07-22 at 12:27:01 +0200, Alexey Brodkin wrote: > Package: dpkg > Version: 1.20.11 > Severity: normal > The problem is even uploads of other packages in "unstable" > fail to build if they expect the build system system to know about ARC. > > Apparently newly uploaded packages are being built in a "stable" > environment, and so we need dpkg of that "stable" system to be > aware of ARC as well. I think this is more about the archive tools and surrounding tooling than any build infrastructure. But in any case, yes, it's inconvenient. > Thus I'm asking to back-port [2] to 1.20.x branch and add it to the > "stable" upload of dpkg sometime soon. That will really unblock > normal package building and uploading for ARC as well. Yes, I'll queue this for the next stable update. Note that even once this gets uploaded and ACCEPTed by the SRMs it will still not be available at least until the next stable point release is actually released, and the servers running that tooling upgraded. Thanks, Guillem
Processed: Re: Bug#1016087: dpkg: errors about cannot verify signature fpr assorted packages
Processing control commands: > reassign -1 dpkg-dev 1.21.9 Bug #1016087 [dpkg] dpkg: errors about cannot verify signature fpr assorted packages Bug reassigned from package 'dpkg' to 'dpkg-dev'. No longer marked as found in versions dpkg/1.21.9. Ignoring request to alter fixed versions of bug #1016087 to the same values previously set Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted packages Marked as found in versions dpkg/1.21.9. > tag -1 moreinfo Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted packages Added tag(s) moreinfo. -- 1016087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016087 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1016087: dpkg: errors about cannot verify signature fpr assorted packages
Control: reassign -1 dpkg-dev 1.21.9 Control: tag -1 moreinfo Hi! On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > Package: dpkg > Version: 1.21.9 > Severity: normal > X-Debbugs-Cc: tmcconnell...@gmail.com > What led up to the situation? Normal upgrading of system > > What exactly did you do (or not do) that was effective (or ineffective)? > Unsure > these messages started appearing. > > What was the outcome of this action? I now receive multiple lines of: gpgv: > Signature made Fri 24 Oct 2014 06:23:17 PM CDT > gpgv:using RSA key F664D256B4691A7D > gpgv: Can't check signature: No public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc > gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT > gpgv:using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.93-1.dsc > gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT > gpgv:using RSA key A1489FE2AB99A21A > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran- > quantreg_5.94-1.dsc > apt-listdifferences: removing old src:r-cran-quantreg 5.93-1 > gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT > gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-3.dsc > gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT > gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D > gpgv: Note: signatures using the SHA1 algorithm are rejected > gpgv: Can't check signature: Bad public key > dpkg-source: warning: cannot verify signature > /var/cache/apt/sources/kconfig_5.94.0-4.dsc > > When running this command `apt-get dist-upgrade -y -m` I assume you have something installed that downloads source packages (and perhaps builds them) as part of the upgrade? Otherwise that seems uncommon. In any case… > What outcome did you expect instead? To be sure I'm getting packages from an > uncompromised repo. … assuming you are getting the source packages from a Debian repository, those should have the repository mataindices signed by the archive keys, which get rotated and updated when necessary, in contrast to the source package signatures which are created by the person uploading the source package (and never updated anymore). As such those latter signatures (when later verified after the archive did the initial verification on upload) can very easily come from now revoked or expired keys or from keys for people that are no longer members of the project and are thus not present in the keyrings, the signatures can be expired themselves, they might come from keys or signatures which are now considered weak, which is what happens to be the case here. These signatures use SHA1 as a hashing algorithm which is no longer considered secure and get rejected. For the above reasons apt passes --no-check to dpkg-source, and dpkg-source does not default to erroring out (unless passing to it --require-valid-signature), as can be seen from the warnings (not errors) shown above. So I see no dpkg bug here, perhaps whatever is calling dpkg-source should also be passing --no-check (if it can guarantee the source came from a verified repo). Otherwise I'll be closing this in a bit. Thanks, Guillem
