[Bug 939322] Re: apt-get source ignores missing key

Torsten Spindler torsten at canonical.com
Tue Mar 6 05:20:08 UTC 2012 

I reproduced this behaviour on precise, deleting all keys found with
apt-key list:

$ apt-get source hello
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Skipping already downloaded file 'hello_2.7-2.dsc'
Skipping already downloaded file 'hello_2.7.orig.tar.gz'
Skipping already downloaded file 'hello_2.7-2.debian.tar.gz'
Need to get 0 B of source archives.
gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.7-2.dsc
dpkg-source: info: extracting hello in hello-2.7
dpkg-source: info: unpacking hello_2.7.orig.tar.gz
dpkg-source: info: unpacking hello_2.7-2.debian.tar.gz
dpkg-source: info: applying 01-no-usr-share-info-dir-gz


** Changed in: apt (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/939322

Title:
  apt-get source ignores missing key

Status in “apt” package in Ubuntu:
  Confirmed

Bug description:
  Running "apt-get source wireshark" produced the message "Can't check
  signature: public key not found", but after this message it proceeded
  with unpacking the source, which it had not verified the integrity of.

  Continuing by default when a signature cannot be verified is a
  security risk. (If the package had had just a few more patches, the
  message would have scrolled out of the window before I would have seen
  it).

  Extracting an unverified package should require explicit user
  confirmation. Either by requesting the user answer y or n while the
  command is running, or by aborting with an error telling the user a
  flag that can be used to proceed regardless of unverified signatures.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: apt 0.7.25.3ubuntu9.10
  ProcVersionSignature: Ubuntu 2.6.32-37.81-generic 2.6.32.49+drm33.21
  Uname: Linux 2.6.32-37-generic i686
  Architecture: i386
  Date: Thu Feb 23 09:24:04 2012
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release i386 (20110720.1)
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_DK.utf8
   SHELL=/bin/bash
  SourcePackage: apt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions

More information about the foundations-bugs mailing list