[Bug 939322] Re: apt-get source ignores missing key

Torsten Spindler torsten at canonical.com
Tue Mar 6 05:41:07 UTC 2012 

Adding the --require-valid-signature to the dpkg-source command called
from apt-get source will change the default behaviour. As this is quite
an invasive change, breaking apt-get source when no key is installed,
maybe it is better to be able to configure the options of dpkg-source?
Also the attached patch is incomplete, as apt-get now recommends to
check if dpkg-dev is installed instead of testing the error message. A
developers input on how to proceed here would be good to have.

$ apt-get source hello
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Skipping already downloaded file 'hello_2.7-2.dsc'
Skipping already downloaded file 'hello_2.7.orig.tar.gz'
Skipping already downloaded file 'hello_2.7-2.debian.tar.gz'
Need to get 0 B of source archives.
gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: error: failed to verify signature on ./hello_2.7-2.dsc
Unpack command 'dpkg-source -x --require-valid-signature hello_2.7-2.dsc' failed.
Check if the 'dpkg-dev' package is installed.
E: Child process failed


** Patch added: "apt_dpkgsource-gpgcheck.patch"
   https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+attachment/2820798/+files/apt_dpkgsource-gpgcheck.patch

** Changed in: apt (Ubuntu)
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/939322

Title:
  apt-get source ignores missing key

Status in “apt” package in Ubuntu:
  Triaged

Bug description:
  Running "apt-get source wireshark" produced the message "Can't check
  signature: public key not found", but after this message it proceeded
  with unpacking the source, which it had not verified the integrity of.

  Continuing by default when a signature cannot be verified is a
  security risk. (If the package had had just a few more patches, the
  message would have scrolled out of the window before I would have seen
  it).

  Extracting an unverified package should require explicit user
  confirmation. Either by requesting the user answer y or n while the
  command is running, or by aborting with an error telling the user a
  flag that can be used to proceed regardless of unverified signatures.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: apt 0.7.25.3ubuntu9.10
  ProcVersionSignature: Ubuntu 2.6.32-37.81-generic 2.6.32.49+drm33.21
  Uname: Linux 2.6.32-37-generic i686
  Architecture: i386
  Date: Thu Feb 23 09:24:04 2012
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release i386 (20110720.1)
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_DK.utf8
   SHELL=/bin/bash
  SourcePackage: apt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions

More information about the foundations-bugs mailing list