Public bug reported: Currently, 'apt-key del' does NOT detect that the keyid given in parameter is invalid : It displays 'OK' and provides a return code equal to zero (see log below).
I consider that letting erroneously believe that a GPG key has been successfully removed is a security issue. In fact 'apt-key del' must absolutely detect all errors, and then provide NON-zero return code and error message. # wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg add - OK # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list /etc/apt/trusted.gpg.d/oracle.gpg --------------------------------- pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06] uid Oracle OSS group (Open Source Software group) <bu...@oss.oracle.com> # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del 1024D/B38A8516 OK # echo $? 0 # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list /etc/apt/trusted.gpg.d/oracle.gpg --------------------------------- pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06] uid Oracle OSS group (Open Source Software group) <bu...@oss.oracle.com> # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del B38A8516 OK # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list # ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apt 1.2.19 ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49 Uname: Linux 4.4.0-65-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 CurrentDesktop: X-Cinnamon Date: Thu Mar 2 17:34:07 2017 InstallationDate: Installed on 2014-11-03 (849 days ago) InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1) SourcePackage: apt UpgradeStatus: Upgraded to xenial on 2016-05-09 (297 days ago) ** Affects: apt (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1669517 Title: apt-key del must absolutely detect all errors, and then provide NON- zero return code and error message Status in apt package in Ubuntu: New Bug description: Currently, 'apt-key del' does NOT detect that the keyid given in parameter is invalid : It displays 'OK' and provides a return code equal to zero (see log below). I consider that letting erroneously believe that a GPG key has been successfully removed is a security issue. In fact 'apt-key del' must absolutely detect all errors, and then provide NON-zero return code and error message. # wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg add - OK # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list /etc/apt/trusted.gpg.d/oracle.gpg --------------------------------- pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06] uid Oracle OSS group (Open Source Software group) <bu...@oss.oracle.com> # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del 1024D/B38A8516 OK # echo $? 0 # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list /etc/apt/trusted.gpg.d/oracle.gpg --------------------------------- pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06] uid Oracle OSS group (Open Source Software group) <bu...@oss.oracle.com> # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del B38A8516 OK # apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list # ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apt 1.2.19 ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49 Uname: Linux 4.4.0-65-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 CurrentDesktop: X-Cinnamon Date: Thu Mar 2 17:34:07 2017 InstallationDate: Installed on 2014-11-03 (849 days ago) InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1) SourcePackage: apt UpgradeStatus: Upgraded to xenial on 2016-05-09 (297 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1669517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
