[Bug 1672710] Re: apt fails to verify keys when Dir has space, and set via cmdline

Launchpad Bug Tracker 1672710 at bugs.launchpad.net
Wed Apr 5 16:00:25 UTC 2017 

This bug was fixed in the package apt - 1.4

---------------
apt (1.4) unstable; urgency=medium

  * The April Fools' Release

  [ Julian Andres Klode ]
  * Ignore \.ucf-[a-z]+$ like we do for \.dpkg-[a-z]+$
  * Fix mistake in CHANGEPATH comment example

  [ Chris Lamb ]
  * auto-removal: Ignore running kernel if attempting a reproducible build
    (Closes: #857632)

  [ Joe Dalton ]
  * Danish program translation update (Closes: #856723)

  [ David Kalnischkies ]
  * Fix and avoid quoting in CommandLine::AsString (LP: #1672710)
  * Ignore AutomaticRemove conffile option in upgrade (Closes: #855891)

 -- Julian Andres Klode <jak at debian.org>  Sat, 01 Apr 2017 21:39:37
+0200

** Changed in: apt (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1672710

Title:
  apt fails to verify keys when Dir has space, and set via cmdline

Status in apt package in Ubuntu:
  Fix Released

Bug description:
  When Dir has a space, and it is set via APT_CONFIG file, keys are found and validated correctly.
  When Dir is set without a space via cmdline, keys are found and validated correctly.
  When Dir is set with a space via cmdline, keys are not found and repositories are not verified.

  
  Please see attached reproducer, which works on xenial system (gpg1) but not on zesty system (gpg2)

  $ bash reproducer.sh
  ++ mktemp -d
  + tmpdir=/tmp/tmp.sFipy6h5yL
  + pushd /tmp/tmp.sFipy6h5yL
  /tmp/tmp.sFipy6h5yL ~
  + mkdir 'Sub Dir'
  + pushd 'Sub Dir'
  /tmp/tmp.sFipy6h5yL/Sub Dir /tmp/tmp.sFipy6h5yL ~
  + mkdir -p etc/apt/apt.conf.d
  + mkdir -p etc/apt/trusted.gpg.d
  + mkdir -p etc/apt/preferences.d
  + mkdir -p var/lib/apt/lists/partial
  + mkdir -p var/lib/dpkg
  + touch var/lib/dpkg/status
  + cp /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg etc/apt/trusted.gpg.d/
  + echo 'deb http://archive.ubuntu.com/ubuntu/ trusty main'
  + echo 'Dir "/tmp/tmp.sFipy6h5yL/Sub Dir";'
  + export APT_CONFIG=/tmp/tmp.sFipy6h5yL/apt.conf
  + APT_CONFIG=/tmp/tmp.sFipy6h5yL/apt.conf
  + cat /tmp/tmp.sFipy6h5yL/apt.conf
  Dir "/tmp/tmp.sFipy6h5yL/Sub Dir";
  + :
  + : == list available keys ==
  + apt-key list
  /tmp/tmp.sFipy6h5yL/Sub Dir/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  ---------------------------------------------------------------------------------
  pub   rsa4096 2012-05-11 [SC]
        790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
  uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

  + :
  + : == update with environ APT_CONFIG setting the Dir variable ==
  + apt update
  Ign:1 http://archive.ubuntu.com/ubuntu trusty InRelease
  Get:2 http://archive.ubuntu.com/ubuntu trusty Release [58.5 kB]
  Get:3 http://archive.ubuntu.com/ubuntu trusty Release.gpg [933 B]
  Get:4 http://archive.ubuntu.com/ubuntu trusty/main amd64 Packages [1,350 kB]
  Fetched 1,410 kB in 0s (1,959 kB/s) 
  Reading package lists... Done
  Building dependency tree... Done
  All packages are up to date.
  + unset APT_CONFIG
  + :
  + : == update with cmdline Dir option setting Dir to relative pwd ==
  + apt -o Dir=./ update
  Ign:1 http://archive.ubuntu.com/ubuntu trusty InRelease
  Hit:2 http://archive.ubuntu.com/ubuntu trusty Release
  Reading package lists... Done
  Building dependency tree... Done
  All packages are up to date.
  + :
  + : == update with cmdline Dir option setting Dir to absolute pwd with space ==
  + apt -o 'Dir=/tmp/tmp.sFipy6h5yL/Sub Dir' update
  Ign:1 http://archive.ubuntu.com/ubuntu trusty InRelease
  Hit:2 http://archive.ubuntu.com/ubuntu trusty Release
  Err:3 http://archive.ubuntu.com/ubuntu trusty Release.gpg
    The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
  Reading package lists... Done
  Building dependency tree... Done
  All packages are up to date.
  W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
  W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
  W: Some index files failed to download. They have been ignored, or old ones used instead.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1672710/+subscriptions

More information about the foundations-bugs mailing list