[Bug 939322] Re: apt-get source ignores missing key
Torsten Spindler
torsten at canonical.com
Tue Mar 6 05:20:08 UTC 2012
I reproduced this behaviour on precise, deleting all keys found with
apt-key list:
$ apt-get source hello
Reading package lists... Done
Building dependency tree
Reading state information... Done
Skipping already downloaded file 'hello_2.7-2.dsc'
Skipping already downloaded file 'hello_2.7.orig.tar.gz'
Skipping already downloaded file 'hello_2.7-2.debian.tar.gz'
Need to get 0 B of source archives.
gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.7-2.dsc
dpkg-source: info: extracting hello in hello-2.7
dpkg-source: info: unpacking hello_2.7.orig.tar.gz
dpkg-source: info: unpacking hello_2.7-2.debian.tar.gz
dpkg-source: info: applying 01-no-usr-share-info-dir-gz
** Changed in: apt (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/939322
Title:
apt-get source ignores missing key
Status in “apt” package in Ubuntu:
Confirmed
Bug description:
Running "apt-get source wireshark" produced the message "Can't check
signature: public key not found", but after this message it proceeded
with unpacking the source, which it had not verified the integrity of.
Continuing by default when a signature cannot be verified is a
security risk. (If the package had had just a few more patches, the
message would have scrolled out of the window before I would have seen
it).
Extracting an unverified package should require explicit user
confirmation. Either by requesting the user answer y or n while the
command is running, or by aborting with an error telling the user a
flag that can be used to proceed regardless of unverified signatures.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apt 0.7.25.3ubuntu9.10
ProcVersionSignature: Ubuntu 2.6.32-37.81-generic 2.6.32.49+drm33.21
Uname: Linux 2.6.32-37-generic i686
Architecture: i386
Date: Thu Feb 23 09:24:04 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release i386 (20110720.1)
ProcEnviron:
PATH=(custom, user)
LANG=en_DK.utf8
SHELL=/bin/bash
SourcePackage: apt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions
More information about the foundations-bugs
mailing list