[Bug 939322] Re: apt-get source ignores missing key
As you have figured out, the message comes from dpkg while unpacking. dpkg uses his own keyrings for it and adding something like '--require- valid-signature' will make it hard for users to work with third-party archives as a key for the maintainer is usually not installed (and is in general a different one to the keys apt uses. APT has keys to verify the complete archive, the sources packages are signed with the key of the maintainer) But we don't need this, the downloaded files are as usually checked by apt with the checksums provided in Sources index. So we already know though our usual trustpath that the files are okay. So what we could actually do is disable this check by dpkg, but additional checks aren't bad in case the needed keyrings are installed (no, we can't know that beforehand, so we can't disable it 'on-demand'). I am therefore setting it to 'invalid' as there is no security problem involved and i don't see a good way to disable this message from dpkg. ** Changed in: apt (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 939322] Re: apt-get source ignores missing key
The attachment "apt_dpkgsource-gpgcheck.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 939322] Re: apt-get source ignores missing key
Adding the --require-valid-signature to the dpkg-source command called from apt-get source will change the default behaviour. As this is quite an invasive change, breaking apt-get source when no key is installed, maybe it is better to be able to configure the options of dpkg-source? Also the attached patch is incomplete, as apt-get now recommends to check if dpkg-dev is installed instead of testing the error message. A developers input on how to proceed here would be good to have. $ apt-get source hello Reading package lists... Done Building dependency tree Reading state information... Done Skipping already downloaded file 'hello_2.7-2.dsc' Skipping already downloaded file 'hello_2.7.orig.tar.gz' Skipping already downloaded file 'hello_2.7-2.debian.tar.gz' Need to get 0 B of source archives. gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32 gpgv: Can't check signature: public key not found dpkg-source: error: failed to verify signature on ./hello_2.7-2.dsc Unpack command 'dpkg-source -x --require-valid-signature hello_2.7-2.dsc' failed. Check if the 'dpkg-dev' package is installed. E: Child process failed ** Patch added: "apt_dpkgsource-gpgcheck.patch" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+attachment/2820798/+files/apt_dpkgsource-gpgcheck.patch ** Changed in: apt (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 939322] Re: apt-get source ignores missing key
I reproduced this behaviour on precise, deleting all keys found with apt-key list: $ apt-get source hello Reading package lists... Done Building dependency tree Reading state information... Done Skipping already downloaded file 'hello_2.7-2.dsc' Skipping already downloaded file 'hello_2.7.orig.tar.gz' Skipping already downloaded file 'hello_2.7-2.debian.tar.gz' Need to get 0 B of source archives. gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./hello_2.7-2.dsc dpkg-source: info: extracting hello in hello-2.7 dpkg-source: info: unpacking hello_2.7.orig.tar.gz dpkg-source: info: unpacking hello_2.7-2.debian.tar.gz dpkg-source: info: applying 01-no-usr-share-info-dir-gz ** Changed in: apt (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 939322] Re: apt-get source ignores missing key
Thanks for your bug report and helping to make Ubuntu better. I think that this is a wishlist item and will mark it as such. ** Changed in: apt (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 939322] Re: apt-get source ignores missing key
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs