touch-packages team mailing list archive

Thread
Date

[Bug 1481871] Re: apt-key del doesn't understand fingerprint

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Moritz Naumann <1481871@xxxxxxxxxxxxxxxxxx>
Date: Sun, 03 Jan 2016 04:34:24 -0000
Reply-to: Bug 1481871 <1481871@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I just ran into the same issue. What's not obvious from the original
post, though, is that apt-key reports back that it deleted the key "OK"
- but actually did not:


root@mybox:~# apt-key list | grep 79EAFD54
pub   1024D/79EAFD54 2009-01-22 [expired: 2013-06-28]

root@mybox:~# apt-key adv --keyid-format long --list-key 79EAFD54
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.0hGkImk1B8 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/xorg-edgers-ppa.gpg --keyid-format long --list-key 79EAFD54
pub   1024D/BED1E87979EAFD54 2009-01-22 [expired: 2013-06-28]
uid                          security OBS Project <security@xxxxxxxxxxxxxxxxxx>

root@mybox:~# apt-key del BED1E87979EAFD54
OK

root@mybox:~# apt-key list | grep 79EAFD54
pub   1024D/79EAFD54 2009-01-22 [expired: 2013-06-28]


As such, if you supply a key ID as an argument to "apt-key del" in any GnuPG supported format other than the 'old' short key ID format without leading "0x" (so just the last 8 bytes of the key's fingerprint, ") the result is that your command is *silently ignored*.  (There seem to be some non-defined GPG formnats which will return an error message, such as when using the last 6 or 10 (but not 12) bytes of the fingerprint).

This can result in users and applications alike meaning to revoke trust
on an APT archive keyring, being told they succeeded in doing so, but
actually failing.

As such, from my perspective, this is a security bug.

This was Ubuntu 14.04.3 LTS x86_64 with the latest updates installed and
no held packages (but some third party PPAs).

I have not tried to reproduce this issue on any other Ubuntu releases. I
tried to reproduce this behaviour on Debian GNU/Linux 8.2 "Jessie" but
was unable to.

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1481871

Title:
  apt-key del doesn't understand fingerprint

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  Description:	Ubuntu 14.04.3 LTS
  Release:	14.04

  apt:
    Installed: 1.0.1ubuntu2.10

  apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80
  7A82B743B9B8E46F12C733FA4759FA960E27C0A6

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here

  apt-key del  7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still
  here

  # Works fine with IDs

  apt-key del  0E27C0A6

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing
  exported

  # Works fine with fingerprint on Precise

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions

References

[Bug 1481871] [NEW] apt-key del doesn't understand fingerprint
From: Evgeny Vereshchagin, 2015-08-05