[Bug 1669517] Re: apt-key del must absolutely detect all errors, and then provide NON-zero return code and error message
Julian Andres Klode
jak at jak-linux.org
Thu Mar 2 17:31:55 UTC 2017
First of all, This is extremely wrong:
wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring
/etc/apt/trusted.gpg.d/oracle.gpg add -
- it will cause your apt installation to fail validating keys silently
(as in, you don't know why it failed) if you do this on a recent system.
You have to pass the key through gpg --dearmor, --keyring can (and
recently has) changed it's format.
With the current setup, we can't show a warning if a key was not deleted
- there are multiple keyrings, and we first check if a key is in a
keyring before running gpg on it (probably to prevent errors). We can't
just warn there - we'd then warn for all cases.
I'm not sure if fixing this is worth it. apt-key del (well apt-key
itself, even) is not meant to be used, except for maintainer scripts
migrating to the saner trusted.gpg.d file.
** Changed in: apt (Ubuntu)
Importance: Undecided => Low
** Changed in: apt (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1669517
Title:
apt-key del must absolutely detect all errors, and then provide NON-
zero return code and error message
Status in apt package in Ubuntu:
Triaged
Bug description:
Currently, 'apt-key del' does NOT detect that the keyid given in parameter is invalid :
It displays 'OK' and provides a return code equal to zero (see log below).
I consider that letting erroneously believe that a GPG key has been
successfully removed is a security issue.
In fact 'apt-key del' must absolutely detect all errors, and then
provide NON-zero return code and error message.
# wget -q -O - https://oss.oracle.com/el4/RPM-GPG-KEY-oracle | apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg add -
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del 1024D/B38A8516
OK
# echo $?
0
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
/etc/apt/trusted.gpg.d/oracle.gpg
---------------------------------
pub 1024D/B38A8516 2006-09-05 [expired: 2013-09-06]
uid Oracle OSS group (Open Source Software group) <build at oss.oracle.com>
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg del B38A8516
OK
# apt-key --keyring /etc/apt/trusted.gpg.d/oracle.gpg list
#
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apt 1.2.19
ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49
Uname: Linux 4.4.0-65-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Thu Mar 2 17:34:07 2017
InstallationDate: Installed on 2014-11-03 (849 days ago)
InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
SourcePackage: apt
UpgradeStatus: Upgraded to xenial on 2016-05-09 (297 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1669517/+subscriptions
More information about the foundations-bugs
mailing list