Processed: Re: Bug#1016087: dpkg: errors about cannot verify signature fpr assorted packages

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 dpkg-dev 1.21.9
Bug #1016087 [dpkg] dpkg: errors about cannot verify signature fpr assorted 
packages
Bug reassigned from package 'dpkg' to 'dpkg-dev'.
No longer marked as found in versions dpkg/1.21.9.
Ignoring request to alter fixed versions of bug #1016087 to the same values 
previously set
Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted 
packages
Marked as found in versions dpkg/1.21.9.
> tag -1 moreinfo
Bug #1016087 [dpkg-dev] dpkg: errors about cannot verify signature fpr assorted 
packages
Added tag(s) moreinfo.

-- 
1016087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016087
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1016087: dpkg: errors about cannot verify signature fpr assorted packages

[Guillem Jover]

Control: reassign -1 dpkg-dev 1.21.9
Control: tag -1 moreinfo

Hi!

On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote:
> Package: dpkg
> Version: 1.21.9
> Severity: normal
> X-Debbugs-Cc: tmcconnell...@gmail.com

> What led up to the situation? Normal upgrading of system
> 
> What exactly did you do (or not do) that was effective (or ineffective)? 
> Unsure
> these messages started appearing.
> 
> What was the outcome of this action? I now receive multiple lines of: gpgv:
> Signature made Fri 24 Oct 2014 06:23:17 PM CDT
> gpgv:using RSA key F664D256B4691A7D
> gpgv: Can't check signature: No public key
> dpkg-source: warning: cannot verify signature
> /var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc
> gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT
> gpgv:using RSA key A1489FE2AB99A21A
> gpgv: Note: signatures using the SHA1 algorithm are rejected
> gpgv: Can't check signature: Bad public key
> dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran-
> quantreg_5.93-1.dsc
> gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT
> gpgv:using RSA key A1489FE2AB99A21A
> gpgv: Note: signatures using the SHA1 algorithm are rejected
> gpgv: Can't check signature: Bad public key
> dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran-
> quantreg_5.94-1.dsc
> apt-listdifferences: removing old src:r-cran-quantreg 5.93-1
> gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT
> gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D
> gpgv: Note: signatures using the SHA1 algorithm are rejected
> gpgv: Can't check signature: Bad public key
> dpkg-source: warning: cannot verify signature
> /var/cache/apt/sources/kconfig_5.94.0-3.dsc
> gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT
> gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D
> gpgv: Note: signatures using the SHA1 algorithm are rejected
> gpgv: Can't check signature: Bad public key
> dpkg-source: warning: cannot verify signature
> /var/cache/apt/sources/kconfig_5.94.0-4.dsc
> 
> When running this command `apt-get dist-upgrade -y -m`

I assume you have something installed that downloads source packages
(and perhaps builds them) as part of the upgrade? Otherwise that seems
uncommon. In any case…

> What outcome did you expect instead? To be sure I'm getting packages from an
> uncompromised repo.

… assuming you are getting the source packages from a Debian
repository, those should have the repository mataindices signed by the
archive keys, which get rotated and updated when necessary, in contrast
to the source package signatures which are created by the person uploading
the source package (and never updated anymore). As such those latter
signatures (when later verified after the archive did the initial
verification on upload) can very easily come from now revoked or expired
keys or from keys for people that are no longer members of the project
and are thus not present in the keyrings, the signatures can be expired
themselves, they might come from keys or signatures which are now
considered weak, which is what happens to be the case here. These
signatures use SHA1 as a hashing algorithm which is no longer considered
secure and get rejected.

For the above reasons apt passes --no-check to dpkg-source, and
dpkg-source does not default to erroring out (unless passing to it
--require-valid-signature), as can be seen from the warnings (not
errors) shown above. So I see no dpkg bug here, perhaps whatever is
calling dpkg-source should also be passing --no-check (if it can
guarantee the source came from a verified repo). Otherwise I'll be
closing this in a bit.

Thanks,
Guillem

Bug#1016087: dpkg: errors about cannot verify signature fpr assorted packages

[Tim McConnell]

Package: dpkg
Version: 1.21.9
Severity: normal
X-Debbugs-Cc: tmcconnell...@gmail.com

Dear Maintainer,

What led up to the situation? Normal upgrading of system

What exactly did you do (or not do) that was effective (or ineffective)? Unsure
these messages started appearing.

What was the outcome of this action? I now receive multiple lines of: gpgv:
Signature made Fri 24 Oct 2014 06:23:17 PM CDT
gpgv:using RSA key F664D256B4691A7D
gpgv: Can't check signature: No public key
dpkg-source: warning: cannot verify signature
/var/cache/apt/sources/libtrio_1.16+dfsg1-3.dsc
gpgv: Signature made Tue 03 May 2022 09:04:38 PM CDT
gpgv:using RSA key A1489FE2AB99A21A
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran-
quantreg_5.93-1.dsc
gpgv: Signature made Wed 20 Jul 2022 05:25:03 AM CDT
gpgv:using RSA key A1489FE2AB99A21A
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify signature /var/cache/apt/sources/r-cran-
quantreg_5.94-1.dsc
apt-listdifferences: removing old src:r-cran-quantreg 5.93-1
gpgv: Signature made Fri 27 May 2022 04:42:52 AM CDT
gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify signature
/var/cache/apt/sources/kconfig_5.94.0-3.dsc
gpgv: Signature made Sat 23 Jul 2022 05:20:34 AM CDT
gpgv:using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify signature
/var/cache/apt/sources/kconfig_5.94.0-4.dsc

When running this command `apt-get dist-upgrade -y -m`

What outcome did you expect instead? To be sure I'm getting packages from an
uncompromised repo.


-- Package-specific info:
This system uses merged-usr-via-aliased-dirs, going behind dpkg's
back, breaking its core assumptions. This can cause silent file
overwrites and disappearances, and its general tools misbehavior.
See .

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-2-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dpkg depends on:
ii  libbz2-1.0   1.0.8-5
ii  libc62.33-8
ii  liblzma5 5.2.5-2.1
ii  libselinux1  3.4-1+b1
ii  tar  1.34+dfsg-1
ii  zlib1g   1:1.2.11.dfsg-4

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii  apt2.5.1
ii  debsig-verify  0.25+b1

-- no debconf information