[Bug 1649097] Re: any source package signature is not valid
Julian Andres Klode
julian.klode at gmail.com
Tue Dec 13 08:39:44 UTC 2016
APT does not care about those keys. dpkg verifies them while unpacking
and gpgv here just prints a short key id instead of a fingerprint (long
id is broken as well).
The only thing we could do is disable the gpg signature check in dpkg-
source when APT calls it for a secure package (that is, pass --no-check
to dpkg-source).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097
Title:
any source package signature is not valid
Status in apt package in Ubuntu:
New
Bug description:
In short:
The GPG key 105BE7F7, with that 'linux' source package is signed,
revoked on 08/16/16 (4 months ago!)
How to reproduce:
$ apt-get source linux-image-$(uname -r)
...
Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
...
Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB]
...
gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
...
### if you add this key:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
$ apt-key list
...
pub 4096R/105BE7F7 2011-09-06
uid Brad Figg <brad.figg at canonical.com>
sub 4096R/F336E4D5 2011-09-06
pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
uid Brad Figg <brad.figg at canonical.com>
### THE KEY IS REVOKED 4 MONTHS AGO!
### Additional info:
$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
### My unmodified /etc/apt/sources.list in attachment.
### Note, /etc/apt/sources.list.d/ directory is empty.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions
More information about the foundations-bugs
mailing list