[Bug 1669517] [NEW] apt-key del must absolutely detect all errors, and then provide NON-zero return code and error message
Etienne URBAH
eurbah at free.fr
Thu Mar 2 16:57:10 UTC 2017
Public bug reported:
Currently, 'apt-key del' does NOT detect that the keyid given in parameter is invalid :
It displays 'OK' and provides a return code equal to zero (see log below).
I consider that letting erroneously believe that a GPG key has been
successfully removed is a security issue.
In fact 'apt-key del' must absolutely detect all errors, and then
provide NON-zero return code and error message.
# wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg add -
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del 1024D/B38A8516
OK
# echo $?
0
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del B38A8516
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
#
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apt 1.2.19
ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49
Uname: Linux 4.4.0-65-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Thu Mar 2 17:34:07 2017
InstallationDate: Installed on 2014-11-03 (849 days ago)
InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
SourcePackage: apt
UpgradeStatus: Upgraded to xenial on 2016-05-09 (297 days ago)
** Affects: apt (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug xenial
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1669517
Title:
apt-key del must absolutely detect all errors, and then provide NON-
zero return code and error message
Status in apt package in Ubuntu:
New
Bug description:
Currently, 'apt-key del' does NOT detect that the keyid given in parameter is invalid :
It displays 'OK' and provides a return code equal to zero (see log below).
I consider that letting erroneously believe that a GPG key has been
successfully removed is a security issue.
In fact 'apt-key del' must absolutely detect all errors, and then
provide NON-zero return code and error message.
# wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg add -
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del 1024D/B38A8516
OK
# echo $?
0
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del B38A8516
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
#
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apt 1.2.19
ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49
Uname: Linux 4.4.0-65-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Thu Mar 2 17:34:07 2017
InstallationDate: Installed on 2014-11-03 (849 days ago)
InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
SourcePackage: apt
UpgradeStatus: Upgraded to xenial on 2016-05-09 (297 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1669517/+subscriptions
More information about the foundations-bugs
mailing list