[Bug 1912526] Re: cannot import new keys if another malformed key exists

Christian Rauch 1912526 at bugs.launchpad.net
Thu Jan 21 19:26:46 UTC 2021 

It's in the latest Ubuntu LTS and will stay be there until 2025. If it
is legacy and deprecated, maybe it should have been removed?

In its current state, this apt-key issue has some security implications:

First, the Ubuntu update GUI is not very intuitive in handling this
issue. It presents the user only with a message that there is a
connection issue, which is not true in this case. Options then are to
"try again" which will never resolve an issue with unsigned repos, or
acknowledge the issue with "Ok". This can be confusing as the "Ok" does
not indicate that updates can still be installed. A user might just
close the dialog and never install additional updates. The update
manager should just install all updates available and not bother the
user with unintuitive choices.

Second, even if you manage to decipher the update manager GUI, you will
still be left with a browser (e.g. Google Chrome in the example above)
that will never be updated. This means in the worst case that someone is
using a browser on Ubuntu LTS that gathered 5 years of security issues.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1912526

Title:
  cannot import new keys if another malformed key exists

Status in apt package in Ubuntu:
  New

Bug description:
  "apt-key add" fails to import keys if there exists another key with a
  malformed file name.

  Such malformed key names used to be provided by the openSUSE Build
  Service (https://github.com/openSUSE/software-o-o/issues/842).

  After importing such malformed key, future key imports will fail with
  something like:

      $ sudo apt-key add linux_signing_key.pub 
      gpg: invalid key resource URL '/tmp/apt-key-gpghome.f8IaqZ48Ze/isv:ownCloud:desktop.asc.gpg'
      gpg: keyblock resource '(null)': General error

  even though no such file "isv:ownCloud:desktop.asc.gpg" exists
  anywhere on the filesystem.

  This affects deb packages that import public repo keys during
  installation, such as Google Chrome or Vivaldi, and results in minor
  issues such as breaking GUI tools and CLI warnings, and the major
  issue that the installed repo cannot be used anymore to update the
  software (Google Chrome, Vivaldi).

  apt-key should be robust to such issues and continue importing keys.
  As in the example above, apt-key should import "linux_signing_key.pub"
  no matter if another unrelated key is malformed etc.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: apt 2.0.2ubuntu0.2
  ProcVersionSignature: Ubuntu 5.8.0-38.43~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-38-generic x86_64
  NonfreeKernelModules: openafs nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu27.14
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Jan 20 19:24:34 2021
  InstallationDate: Installed on 2020-04-24 (271 days ago)
  InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1912526/+subscriptions

More information about the foundations-bugs mailing list