[Bug 1577926] [NEW] apt-key works fine, yet apt fails with "Could not execute 'apt-key'"

pjd pjd at zertif.info
Tue May 3 20:21:44 UTC 2016 

Public bug reported:

Apt can fail to verify a Release file which verifies just fine when
calling apt-key directly.

Please advise how i can supply further debug information to help fix the
underlying bug.

Expected:
apt-get should only report that a repository is not signed when no such signature was found.
If a signature was in fact successfully acquired but not verified, apt-get should report failure to verify instead.
apt-get should have a meaningful error message when calling apt-key fails.

Bonus:
Calling apt-key should not fail when the same thing works fine on command line.
A reference to "Debug::Acquire::gpgv" should be in apt-secure(8) documentation.

Observed:

# uname -a
Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
# chroot reproducable
$ uname -a
Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 armv7l armv7l armv7l GNU/Linux

$ lsb_release -a 2>/dev/null
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04 LTS
Release:	16.04
Codename:	xenial

$ apt-get -o "Debug::Acquire::gpgv=true" update
Get:1 http://ports.ubuntu.com xenial-security InRelease [92.2 kB]
0% [1 InRelease gpgv 92.2 kB]igners 
Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
gpgv exited with status 111
Summary:
  Good: 
  Bad: 
  Worthless: 
  SoonWorthless: 
  NoPubKey: 
Ign:1 http://ports.ubuntu.com xenial-security InRelease
Fetched 92.2 kB in 1s (79.5 kB/s)
Reading package lists... Done
W: GPG error: http://ports.ubuntu.com xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://ports.ubuntu.com xenial-security InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

$ /usr/bin/apt-key --quiet --readonly verify --status-fd /dev/stderr /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
gpgv: Signature made Tue May  3 19:02:17 2016 UTC using DSA key ID 437D05B5
[GNUPG:] SIG_ID e53PXRjA/EMb7CuZJtAicvvUm60 2016-05-03 1462302137
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2016-05-03 1462302137 0 4 0 17 10 01 630239CC130E1A7FD81A27B140976EAF437D05B5
gpgv: Signature made Tue May  3 19:02:17 2016 UTC using RSA key ID C0B21F32
[GNUPG:] SIG_ID kCsrLo9VUm7YcYhhqQUw2fbWoY4 2016-05-03 1462302137
[GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>"
[GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2016-05-03 1462302137 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1577926

Title:
  apt-key works fine, yet apt fails with "Could not execute 'apt-key'"

Status in apt package in Ubuntu:
  New

Bug description:
  Apt can fail to verify a Release file which verifies just fine when
  calling apt-key directly.

  Please advise how i can supply further debug information to help fix
  the underlying bug.

  Expected:
  apt-get should only report that a repository is not signed when no such signature was found.
  If a signature was in fact successfully acquired but not verified, apt-get should report failure to verify instead.
  apt-get should have a meaningful error message when calling apt-key fails.

  Bonus:
  Calling apt-key should not fail when the same thing works fine on command line.
  A reference to "Debug::Acquire::gpgv" should be in apt-secure(8) documentation.

  Observed:

  # uname -a
  Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
  # chroot reproducable
  $ uname -a
  Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 armv7l armv7l armv7l GNU/Linux

  $ lsb_release -a 2>/dev/null
  Distributor ID:	Ubuntu
  Description:	Ubuntu 16.04 LTS
  Release:	16.04
  Codename:	xenial

  $ apt-get -o "Debug::Acquire::gpgv=true" update
  Get:1 http://ports.ubuntu.com xenial-security InRelease [92.2 kB]
  0% [1 InRelease gpgv 92.2 kB]igners 
  Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
  gpgv exited with status 111
  Summary:
    Good: 
    Bad: 
    Worthless: 
    SoonWorthless: 
    NoPubKey: 
  Ign:1 http://ports.ubuntu.com xenial-security InRelease
  Fetched 92.2 kB in 1s (79.5 kB/s)
  Reading package lists... Done
  W: GPG error: http://ports.ubuntu.com xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
  W: The repository 'http://ports.ubuntu.com xenial-security InRelease' is not signed.
  N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  N: See apt-secure(8) manpage for repository creation and user configuration details.

  $ /usr/bin/apt-key --quiet --readonly verify --status-fd /dev/stderr /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
  gpgv: Signature made Tue May  3 19:02:17 2016 UTC using DSA key ID 437D05B5
  [GNUPG:] SIG_ID e53PXRjA/EMb7CuZJtAicvvUm60 2016-05-03 1462302137
  [GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
  gpgv: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>"
  [GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2016-05-03 1462302137 0 4 0 17 10 01 630239CC130E1A7FD81A27B140976EAF437D05B5
  gpgv: Signature made Tue May  3 19:02:17 2016 UTC using RSA key ID C0B21F32
  [GNUPG:] SIG_ID kCsrLo9VUm7YcYhhqQUw2fbWoY4 2016-05-03 1462302137
  [GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>
  gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>"
  [GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2016-05-03 1462302137 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926/+subscriptions

More information about the foundations-bugs mailing list