Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387565 - dev-util/debootstrap fails to validate release GPGs
Summary: dev-util/debootstrap fails to validate release GPGs
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Debian-related package maintainers [DISBANDED]
URL:
Whiteboard: WAS: dev-util/{,c}debootstrap fail to...
Keywords:
Depends on:
Blocks: 575320
  Show dependency tree
 
Reported: 2011-10-18 16:52 UTC by Jeroen Roovers (RETIRED)
Modified: 2016-02-22 05:44 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2011-10-18 16:52:39 UTC
Arch teams, please test and mark stable:
=dev-util/cdebootstrap-0.5.8
Target KEYWORDS="amd64 x86"
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2011-10-18 17:04:47 UTC
Something happened recently that is causing a failure, I was thinking of masking it...

% sudo cdebootstrap lenny /tmp/test
P: Retrieving Release
P: Retrieving Release.gpg
P: Validating Release
E: Couldn't validate Release!
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-18 17:42:33 UTC
Looks like it requires app-crypt/gnupg-1.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-18 18:13:44 UTC
wieneke ~ # debootstrap lenny debootstrap-test/
I: Retrieving Release
I: Retrieving Release.gpg
I: Checking Release signature
E: Release signed by unknown key (key id AED4B06F473041FA)
wieneke ~ # cdebootstrap lenny cdebootstrap-test/
P: Retrieving Release
P: Retrieving Release.gpg
P: Validating Release
E: Couldn't validate Release!

Ouch.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-18 18:14:49 UTC
OK, let's fix that first.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-21 19:44:51 UTC
--no-check-gpg works around the issue.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-22 20:11:06 UTC
(In reply to comment #5)
> --no-check-gpg works around the issue.

Er, that's for debootstrap only of course, so the workaround for cdebootstrap would be to use debootstrap instead for the time being. ;-)
Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2011-11-22 20:20:30 UTC
I'll just mask it for removal, no sense in having two of the same purpose app.
Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2011-11-29 16:04:32 UTC
+  29 Nov 2011; Jeremy Olexa <darkside@gentoo.org> package.mask:
+  mask cdebootstrap, libdebian-installer for removal in 30 days, bug 387565
Comment 9 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-01-27 14:44:37 UTC
(In reply to comment #8)
> +  29 Nov 2011; Jeremy Olexa <darkside@gentoo.org> package.mask:
> +  mask cdebootstrap, libdebian-installer for removal in 30 days, bug 387565

gone, your bug now
Comment 10 Walter 2013-01-22 04:48:22 UTC
Hi. Not sure of solution status. This bug affects app-emulation/lxc. It doesn't explicitly declare a dependency, though:

 ...
 ewarn "will need sys-apps/yum or dev-util/debootstrap."

I have separately added a bug for that now (a USE flag with the dep explicitly declared would be nicer: https://bugs.gentoo.org/show_bug.cgi?id=453468).

What I learned:
 - debootstrap itself is not explicit about the path it has been passed for its keyring when dying on error (creating a bug for that shortly, will link to this URL, then post its debian URL as a comment) .. it took me a timely CTRL+Z, a manual execution of debootstrap, strace + grep to figure out the path it was hitting, see next point...)

 - Gentoo's debootstrap understandably uses a non-default path for the keyring: /usr/share/keyrings/debian-archive-keyring.gpg

 - The following temporary workaround may be used to resolve the issue:
gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key 64481591B98321F9
 (Acknowledgement: command line built from post @ https://groups.google.com/forum/?fromgroups=#!topic/linux.debian.bugs.dist/tKv7EYb1HkE )

 - In future, it could be useful to include an optional cron script that periodically polls for updates to the debian keyring, an einfo/ewarn line about how to enable it, and/or the standard 'ebuild configure ...' mechanism to execute it once-off (maybe emitting an error if there is no valid trust anchor for the desired key, from either (1) ebuild itself; or (2) the previous key known to the keyring). Since debian keyring updates are supposed to be signed by the last key, they are theoretically a non-issue to run on a regular basis.  For details, on this process, see http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s7.5.3.6
Comment 11 Walter 2013-01-22 08:19:21 UTC
For reference, that debootstrap bug (re: insufficiently verbose error, bad docs, resulting in wasted time; particularly bad since debootstrap is the type of tool often run by non-debian-users in non-debian environments) posted @ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698677
Comment 12 Sebastian Pipping gentoo-dev 2016-02-21 18:28:39 UTC
Fixed.


# git cherry -v git-gentoo-org/master 
+ 3a41bd6a493dc5fedff61fa82301d1fb6ce9ab39 app-crypt/jetring: new package (bug #387565 related)
+ d5ab799a071a89a7660cd7ace8602e7b2b631ebc app-crypt/debian-archive-keyring: new package (bug #387565 related)
+ 991fc300c1b952b69fc2f208c5ad59b600a25c4b app-crypt/ubuntu-keyring: new package (bug #387565 related)
+ cd7afb1b02aa60f6c8c1544034aa6e31c5c9b32c dev-util/debootstrap: Depend on keyrings (bug #387565)


Please see bug #575320 for keywords dropped for -r1.

Closing...
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-21 20:14:14 UTC
(In reply to Sebastian Pipping from comment #12)
> Fixed.

I don't see what you fixed. You added an ebuild which pulls in dependencies you /might/ need at run time or you might not. Having those dependencies is nice, but should not be forced.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-21 20:23:16 UTC
I suggest we no further "debianise" debootstrap.

1. Put a USE flag in place that pulls these new dependencies in.
2. Add a small and simple patch that:
2a. Defaults to --no-check-gpg
2b. Suggests switching on that USE flag for validating the packages.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-22 05:44:37 UTC
We already had a nice blurb suggesting Release validation requires gnupg, so I just tacked on an additional message about the keyring packages for Debian and Ubuntu.

Good to have those packages in the tree now.

Thanks everyone!