Subject: simple-cdd: fails to validate Release file with a good signature and a signature that can't be checked
Date: Wed, 25 Aug 2021 19:38:05 +0200
Package: simple-cdd
Version: 0.6.8
Severity: normal
X-Debbugs-Cc: [email protected]
Right now if you try to use simple-cdd on a stretch or buster system (to
build stretch/buster images), you get failures like this one:
> 2021-08-24 10:45:08 ERROR verify gpg signature exited with code 2
> 2021-08-24 10:45:08 ERROR Last 3 lines of standard error:
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Signature made Tue 24 Aug 2021 09:21:34 AM CDT
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Can't check signature: No public key
> 2021-08-24 10:45:08 ERROR Signature verification failed on ['gpg', '--batch', '--no-default-keyring', '--keyring', '/usr/share/keyrings/debian-archive-keyring.gpg', '--keyring', '/srv/install/simple-cdd/.gnupg/pubring.gpg', '--verify', '/srv/install/simple-cdd/tmp/mirror/extrafiles']
> FAILURE: build-simple-cdd failed, exiting
The problem is that the Release file (and the extrafiles) of stretch and
buster is signed by 4 keys, including the recently added keys for
bullseye. But /usr/share/keyrings/debian-archive-keyring.gpg in
stretch/buster does not (yet) contain the new key and simple-cdd uses `gpg
--verify` which fails with error code 2 as soon as a single signature
can't be verified.
But simple-cdd should fail only if none of the signatures can't be
verified or if some signature fails to verify while the key is present
(a bit like APT does it...). But the absence of a key should not result in
a failure provided that the other signatures are working.
Elements of proof:
$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release
$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release.gpg
$ LANG=C gpg --keyring /srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg --verify Release.gpg Release
gpg: Signature made Sat Aug 14 09:43:24 2021 CEST
gpg: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpg: Good signature from "Debian Archive Automatic Signing Key (9/stretch) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
Subkey fingerprint: 16E9 0B3F DF65 EDE3 AA7F 323C 04EE 7237 B7D4 53EC
gpg: Signature made Sat Aug 14 09:43:25 2021 CEST
gpg: using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpg: Good signature from "Debian Archive Automatic Signing Key (10/buster) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
Subkey fingerprint: 0146 DC6D 4A0B 2914 BDED 34DB 648A CFD6 22F3 D138
gpg: Signature made Sat Aug 14 10:46:19 2021 CEST
gpg: using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: Can't check signature: No public key
gpg: Signature made Sat Aug 14 10:26:43 2021 CEST
gpg: using RSA key 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpg: issuer "[email protected]"
gpg: Good signature from "Debian Stable Release Key (9/stretch) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500
$ echo $?
2
$ LANG=C gpg --keyring /srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg --with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: error reading key: No public key
$ LANG=C gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
1F89983E0081FDE018F3CC9673A4F27B8DD47936
uid [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub rsa4096 2021-01-17 [S] [expires: 2029-01-15]
A7236886F3CCCAAD148A27F80E98404D386FA1D9
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages simple-cdd depends on:
ii dctrl-tools 2.24-3+b1
ii debian-cd 3.1.35
ii lsb-release 11.1.0
ii python3 3.9.2-3
ii python3-simple-cdd 0.6.8
ii reprepro 5.3.0-1.2
ii rsync 3.2.3-4
ii wget 1.21-1+b1
Versions of packages simple-cdd recommends:
ii dose-distcheck 6.0.1-2
Versions of packages simple-cdd suggests:
ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11
-- no debconf information
Acknowledgement sent
to Raphael Hertzog <[email protected]>:
Extra info received and forwarded to list. Copy sent to Simple-CDD Developers <[email protected]>.
(Wed, 25 Aug 2021 17:57:08 GMT) (full text, mbox, link).
Subject: Re: Bug#992966: simple-cdd: fails to validate Release file with a
good signature and a signature that can't be checked
Date: Wed, 25 Aug 2021 19:53:28 +0200
Control: severity -1 important
Bumping the severity on suggestion of #debian-release.
On Wed, 25 Aug 2021, Raphaël Hertzog wrote:
> Right now if you try to use simple-cdd on a stretch or buster system (to
> build stretch/buster images), you get failures like this one:
I was a bit to quick in my assertion. The problem is limited to stretch
because buster's debian-archive-keyring has been updated a while ago (but
my buster chroot was not up-to-date):
https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/
Cheers,
--
Raphaël Hertzog ◈ Freexian SARL ◈ Tel: +33 (0)6 88 21 35 47
https://www.freexian.com
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.