[Bug 356012] Re: APT does not properly handle expired or revoked key signatures
Bug Watch Updater
356012 at bugs.launchpad.net
Thu Aug 11 03:22:08 UTC 2011
** Changed in: apt (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/356012
Title:
APT does not properly handle expired or revoked key signatures
Status in “apt” package in Ubuntu:
Fix Released
Status in “apt” source package in Dapper:
Fix Released
Status in “apt” source package in Gutsy:
Won't Fix
Status in “apt” source package in Hardy:
Fix Released
Status in “apt” source package in Intrepid:
Fix Released
Status in “apt” source package in Jaunty:
Fix Released
Status in “apt” package in Debian:
Fix Released
Bug description:
apt-get does not properly handle revoked or expired key signatures
since it internally uses gpgv vs gpg to check signatures, and does not
properly check for the error codes. It uses VALIDSIG to determine if a
signature is valid, but this code can be given if the signature itself
has expired, the signing key has expired, or the key has been revoked.
Steps to Reproduce:
1. Add a source with expired or revoked key to sources.list (or set the system clock far enough that a key appears to be expired)
2. Run apt-get update
3. No warning message is printed from apt-get.
I'm working on a bazaar branch to resolve this now by properly using
gpg vs gpgv and checking the status messages from GPG.
The Debian bug linked does not include that revoked signatures are a
problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/356012/+subscriptions
More information about the foundations-bugs
mailing list