Re: backports

[ I will remove all email addresses from the output of the gpg commands   which I use/quote below. ]

On Wed, Jun 27, 2007 at 17:27:15 +0100, Chris Lale wrote:

[...]

> How to you check the output of "gpg --check-sigs"? I Googled a bit and it seems
> that an exclamation mark ("!") indicates a successful check. Is that true?

Yes, but you also have to check which key ID is listed for the signature.

> eg
> $ gpg --check-sigs --keyring /usr/share/keyrings/debian-backports-keyring.gpg

This command only shows you that the backports archive key (16BA136C) has the usual self signature (note the same key ID):

> /usr/share/keyrings/debian-backports-keyring.gpg
> ------------------------------------------------
> pub 1024D/16BA136C 2005-08-21
> uid Backports.org Archive Key
> sig!3 16BA136C 2005-08-21 Backports.org Archive Key
> sig!3 16BA136C 2005-08-21 Backports.org Archive Key
> sub 2048g/5B82CECE 2005-08-21
> sig! 16BA136C 2005-08-21 Backports.org Archive Key

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

You have to tell gpg which key's signatures it should check. If you really want to know what is going on then you should first look at the list of signatures for the backports key:

$ gpg --keyring /usr/share/keyrings/debian-backports-keyring.gpg --list-sig 16BA136C pub 1024D/16BA136C 2005-08-21

uid                  Backports.org Archive Key
sig          7E7B8AC9 2005-11-20  [User ID not found]
sig          657BF03D 2006-05-27  [User ID not found]
sig 3        16BA136C 2005-08-21  Backports.org Archive Key
sig 3        16BA136C 2005-08-21  Backports.org Archive Key
sub   2048g/5B82CECE 2005-08-21
sig          16BA136C 2005-08-21  Backports.org Archive Key

You see that the key has been signed with two other keys, 7E7B8AC9 and 657BF03D. These keys are not included in debian-backports-keyring.gpg and they are also not on my user's default keyring, therefore gpg cannot provide any information besides the key IDs. If you replace "--list-sig" with "--check-sig" in the above command you will get "2 signatures not checked due to missing keys". However, if you tell gpg to include the keyring from the debian-keyring package, you can verify that one of the signatures was made by a Debian developer:

$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-backports-keyring.gpg --check-sig 16BA136C pub 1024D/16BA136C 2005-08-21

uid                  Backports.org Archive Key
sig!         7E7B8AC9 2005-11-20  Joerg Jaspert
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
sub   2048g/5B82CECE 2005-08-21
sig!         16BA136C 2005-08-21  Backports.org Archive Key

1 signature not checked due to a missing key

The second signature (657BF03D) is meaningless to you, unless you can establish trust in this person by some other means. You can of course find this second key on a keyserver, but anyone can upload keys to the keyservers.

Note that the "--list-sig" command also makes sure that there is no bogus 7E7B8AC9 key on my user's default keyring since the key is not known until I point gpg to the Debian keyring.

> I wanted to find a generic method of importing and checking keys for a number of
> unofficial deb sites. It is difficult to find the key ids on some of the
> websites.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Apt(itude) lists the key IDs when it complains about missing keys.

> One thing they all had in common was having a keyring package. I tried
> backports.org, debian-multimedia.org and debian-unofficial.org. So, here is my
> generic method:
>
> 1. Add the appropriate line to /etc/apt/sources.list.
>
> 2. Update with apt-get or aptitude.
>
> 3. Install the appropriate keyring package (eg debian-multimedia-keyring). The
> keyrings all end up in /etc/share/keyrings/${package-name}.gpg

You are again running an unverified installation script as root. How do you know that your other keyrings, the gpg binary itself and the rest of your system are still trustworthy after that?

> 4. Check the signatures IMMEDIATELY eg
> $ gpg --check-sigs --keyring /usr/share/keyrings/debian-multimedia-keyring.gpg
>
> 5. If the check fails,
>
> a.purge the keyring package and check that the keyring subdirectory has been
> removed from /etc/share/keyrings/.
>
> b. You can still install packages from the suspect repository, but there will be
> a warning. To be safe, remove the repository line from /etc/apt/sources.list.

Here is a procedure for paranoid people, starting after your step 2; all these commands should be run as an unprivileged user. (The key is extracted manually and added to the unprivileged user's keyring; then it can be checked without risk.)

aptitude download debian-backports-keyring mkdir tempdir
dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/ mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg . rm -rf tempdir/

gpg --import debian-backports-keyring.gpg
gpg --list-sig 16BA136C
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 16BA136C

If the key has a valid signature of a Debian developer then you can export it and add it to apt's key ring. (See my earlier mail.) After that you can install the desired backports packages, including the backports keyring package for convenience in case of future key updates.

BTW, the debian-multimedia archive is a special case since Christian Marillat does not use a dedicated archive key; he signs the release files with his normal public key. This key is already included in the debian-keyring package, so you can simply (and safely) export the key from this keyring and feed it to apt:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg -a --export 1F41B907 | sudo apt-key add -

-- 
Regards,            | 
http://users.icfo.es/Florian.Kulzer
          Florian   |


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org