[Bug 1961454] Re: [SRU] Package unusable due to yearly key changes

Mathew Hodson 1961454 at bugs.launchpad.net
Sat Feb 19 17:55:58 UTC 2022 

** Also affects: debian-ports-archive-keyring (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: debian-ports-archive-keyring (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: debian-ports-archive-keyring (Ubuntu)
       Status: New => Fix Released

** Changed in: debian-ports-archive-keyring (Ubuntu)
   Importance: Undecided => Medium

** Changed in: debian-ports-archive-keyring (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: debian-ports-archive-keyring (Ubuntu Focal)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1961454

Title:
  [SRU] Package unusable due to yearly key changes

Status in debian-ports-archive-keyring package in Ubuntu:
  Fix Released
Status in debian-ports-archive-keyring source package in Bionic:
  New
Status in debian-ports-archive-keyring source package in Focal:
  New

Bug description:
  [Impact]

   * ftp.ports.debian.org changes keys every year, and updates debian-
  ports-archive-keyring 2 years ahead of time.

   * Packages in bionic and focal do not have 2022's key, making the
  packages unusable.

   * SRU falls under "Updates that need to be applied to Ubuntu packages
  to adjust to changes in the environment, server protocols, web
  services, and similar"

   * Package can be synced directly from Debian

  [Test Plan]

  sudo debootstrap --arch=riscv64 --force-check-gpg --foreign
  --keyring=/usr/share/keyrings/debian-ports-archive-keyring.gpg sid
  /tmp/sid http://ftp.ports.debian.org/debian-ports/

  Expected:

  I: Checking Release signature
  I: Valid Release signature (key id CBC70A60B9ED6F237A5F5B0BE852514F5DF312F6)
  I: Retrieving Packages 
  I: Validating Packages 
  I: Resolving dependencies of required packages...
  I: Resolving dependencies of base packages...
  [...]

  Currently:

  I: Checking Release signature
  E: Release signed by unknown key (key id E852514F5DF312F6)
     The specified keyring /usr/share/keyrings/debian-ports-archive-keyring.gpg may be incorrect or out of date.
     You can find the latest Debian release key at https://ftp-master.debian.org/keys.html

  [Where problems could occur]

   * Very old keys are removed from the keyring by subsequent package
  updates. An existing program might be looking for old keys and start
  failing, but this scenario is probably unlikely.

  
  [Other Info]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-ports-archive-keyring/+bug/1961454/+subscriptions

More information about the Ubuntu-sponsors mailing list