ignores expiry of archive keys

Debian Bug report logs - #433091
ignores expiry of archive keys

Toggle useless messages

---

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: apt
Version: 0.7.3
Severity: important

If I update from an archive whose key recently expired and I have
not yet updated the local copy via apt-key -- the local keyring says
it's expired -- APT does not complain but just proceeds. I think it
should *at least* warn.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.21-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2007.02.19-0.1   GnuPG archive keys of the Debian a
ii  libc6                   2.6-2            GNU C Library: Shared libraries
ii  libgcc1                 1:4.2-20070707-1 GCC support library
ii  libstdc++6              4.2-20070707-1   The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

-- 
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

[signature.asc (application/pgp-signature, inline)]

---

Message #8 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

severity 433091 critical
# justification: security; incomplete trust model
tags 433091 security
found 433091 0.6.46.4-0.1
thanks

also sprach martin f krafft <madduck@debian.org> [2007.07.14.1329 +0200]:
> If I update from an archive whose key recently expired and I have
> not yet updated the local copy via apt-key -- the local keyring says
> it's expired -- APT does not complain but just proceeds. I think it
> should *at least* warn.

For its first birthday, I am giving this bug report a severity
upgrade and a tag.

-- 
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

[digital_signature_gpg.asc (application/pgp-signature, inline)]

---

Message #19 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Martin,

Going through the security issues to fix before lenny, I came by this bug.

> > If I update from an archive whose key recently expired and I have
> > not yet updated the local copy via apt-key -- the local keyring says
> > it's expired -- APT does not complain but just proceeds. I think it
> > should *at least* warn.

> For its first birthday, I am giving this bug report a severity
> upgrade and a tag.

I think key expiry is a rather peripheral part of the PGP model. It's designed 
to combat proliferation of keys for which the private key was lost.

While it is desirable to implement key expiry, and I hope that the APT team 
will do so, I do have doubts whether this sould be critical for the release 
of Debian Lenny. Can you provide a scenario that illustrates the criticality 
of this issue?


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

---

Message #24 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

also sprach Thijs Kinkhorst <thijs@debian.org> [2008.08.05.0941 -0300]:
> While it is desirable to implement key expiry, and I hope that the
> APT team will do so, I do have doubts whether this sould be
> critical for the release of Debian Lenny. Can you provide
> a scenario that illustrates the criticality of this issue?

No, it just casts a rather bad light on the implementation of
signature checking in APT.

-- 
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
 
on the other hand, you have different fingers.

[digital_signature_gpg.asc (application/pgp-signature, inline)]

---

Message #29 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tuesday 5 August 2008 16:23, martin f krafft wrote:
> also sprach Thijs Kinkhorst <thijs@debian.org> [2008.08.05.0941 -0300]:
> > While it is desirable to implement key expiry, and I hope that the
> > APT team will do so, I do have doubts whether this sould be
> > critical for the release of Debian Lenny. Can you provide
> > a scenario that illustrates the criticality of this issue?
>
> No, it just casts a rather bad light on the implementation of
> signature checking in APT.

That could be true, but is subjective. In a similar way my impression of a 
program with typos in its strings is that it may be sloppily made. Still I 
don't think such a situation is a critical bug.

I propose to put this bug at severity "important" which for me strikes the 
right balance between being 'very desirable to fix' and not being 'an actual, 
critical security hole'. OK?

Obviously fixing it is the real solution.


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

---

Message #34 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

also sprach Thijs Kinkhorst <thijs@debian.org> [2008.08.05.1508 -0300]:
> I propose to put this bug at severity "important" which for me
> strikes the right balance between being 'very desirable to fix'
> and not being 'an actual, critical security hole'. OK?

Sure, we wouldn't want to endanger our release schedule for feature
enhancements or Debian's reputation. ;|

-- 
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
 
nasa spent 2 billion dollars on the research of a ballpoint pen that
could write on everything, even upside down, under water, or at
extreme temperatures; the russians used a pencil.
         (but see: http://www.snopes.com/business/genius/spacepen.asp)

[digital_signature_gpg.asc (application/pgp-signature, inline)]

---

Message #39 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> Sure, we wouldn't want to endanger our release schedule for feature
> enhancements or Debian's reputation. ;|

Or put differently, I'd rather spend our time on things that more 
significantly improve the security a of Debian system, and to be frank I 
think it's quite speculative that there's actual reputation risk here.

If you believe that this would actually be detrimental to Debian's reputation, 
surely the APT developers would gladly accept your patch?


Thijs

[Message part 2 (application/pgp-signature, inline)]

---

Message #46 received at 433091@bugs.debian.org (full text, mbox, reply):

Hi,

I just cloned and reassigned your bug about apt-get ignoring expired
keys. apt-get forks gpgv to do the actual verification and that gives
no indication of any expirey. So apt-get has no chance to detect and
warn about such an event.

mrvn@book:% sudo gpgv --keyring etc/apt/trusted.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
gpgv: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
F583D700
gpgv: Good signature from "Tester (test key) <test@noreply.org>"


mrvn@book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
gpg: WARNING: unsafe ownership on configuration file
`/home/mrvn/.gnupg/gpg.conf'
gpg: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
F583D700
gpg: Good signature from "Tester (test key) <test@noreply.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 317C B6A2 20E3 D9DF BE98  0264 1E34 EFC0 F583
D700
mrvn@book:/% echo $?
0

Note that gpg does not fail the signature just because it has expired,
even if the signature is made after the expirey date of the key. The
signature was made when the key was still valid s it gets accepted.


MfG
        Goswin

---

Message #60 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thursday 4 September 2008 18:47, Goswin von Brederlow wrote:
> apt-get forks gpgv to do the actual verification and that gives
> no indication of any expirey. So apt-get has no chance to detect and
> warn about such an event.

Werner, what do you think of implementing key expiry checking in gpgv?


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

---

Message #65 received at 433091@bugs.debian.org (full text, mbox, reply):

On Tue, 05 Aug 2008, Thijs Kinkhorst wrote:

> On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> > Sure, we wouldn't want to endanger our release schedule for feature
> > enhancements or Debian's reputation. ;|
> 
> Or put differently, I'd rather spend our time on things that more 
> significantly improve the security a of Debian system, and to be frank I 
> think it's quite speculative that there's actual reputation risk here.

So why the fuck do we ship apt keys with expiration dates anyway, if apt
happily ignores them?

When I create a key and add that to apt's trusted-keys with an
expiration date of foo I fully expect it to not be trusted afterwards.

But heck, I can even create new signatures made after the expiration
date and apt will happily accept any and all Release files signed by
that expired key.

I was shocked when I realized this today, after reading this bug
report I'm dumbfounded that you even consider this acceptable!

still shaking my head,
weasel
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

---

Message #70 received at 433091@bugs.debian.org (full text, mbox, reply):

Goswin von Brederlow schrieb am Donnerstag, dem 04. September 2008:

> mrvn@book:% sudo gpgv --keyring etc/apt/trusted.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
> gpgv: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
> F583D700
> gpgv: Good signature from "Tester (test key) <test@noreply.org>"

Stop abusing my domain name.  example.{com,org,net} is what you were
looking for.

> mrvn@book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
> gpg: WARNING: unsafe ownership on configuration file
> `/home/mrvn/.gnupg/gpg.conf'
> gpg: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
> F583D700
> gpg: Good signature from "Tester (test key) <test@noreply.org>"
> gpg: Note: This key has expired!
> Primary key fingerprint: 317C B6A2 20E3 D9DF BE98  0264 1E34 EFC0 F583
> D700
> mrvn@book:/% echo $?
> 0
> 
> Note that gpg does not fail the signature just because it has expired,
> even if the signature is made after the expirey date of the key. The
> signature was made when the key was still valid s it gets accepted.

I don't think that's correct.

| weasel@intrepid:~/tmp/g$ gpgv --keyring ./pubring.gpg  Release.gpg Release
| gpgv: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key ID BD2B0EE0
| gpgv: Good signature from "db.debian.org archive key 2008"
| weasel@intrepid:~/tmp/g$ echo $?
| 0

| weasel@intrepid:~/tmp/g$ gpg --status-fd=2 --verify Release.gpg Release
| gpg: WARNING: unsafe permissions on homedir `.'
| gpg: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key ID
| BD2B0EE0
| [GNUPG:] KEYEXPIRED 1238972541
| [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
| [GNUPG:] SIG_ID ku+8oeaPmKjRxDvpydIDp9yPiss 2009-04-05 1238974953
| [GNUPG:] EXPKEYSIG BEA7CF10BD2B0EE0 db.debian.org archive key 2008
| gpg: Good signature from "db.debian.org archive key 2008"
| [GNUPG:] VALIDSIG 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0 2009-04-05
| 1238974953 0 4 0 17 2 00 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0
| gpg: Note: This key has expired!
| Primary key fingerprint: 41A8 A518 BF62 8775 13FE  798F BEA7 CF10 BD2B 0EE0

No GOODSIG.

So gpgv considers a signature valid that gpg doesn't.  That in itself
should be a grave bug.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

---

Message #75 received at 433091@bugs.debian.org (full text, mbox, reply):

On Mon, Apr 06, 2009 at 02:12:26AM +0200, Peter Palfrader wrote:
> On Tue, 05 Aug 2008, Thijs Kinkhorst wrote:
> 
> > On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> > > Sure, we wouldn't want to endanger our release schedule for feature
> > > enhancements or Debian's reputation. ;|
> > 
> > Or put differently, I'd rather spend our time on things that more 
> > significantly improve the security a of Debian system, and to be frank I 
> > think it's quite speculative that there's actual reputation risk here.
> 
> So why the fuck do we ship apt keys with expiration dates anyway, if apt
> happily ignores them?
> 
> When I create a key and add that to apt's trusted-keys with an
> expiration date of foo I fully expect it to not be trusted afterwards.
> 
> But heck, I can even create new signatures made after the expiration
> date and apt will happily accept any and all Release files signed by
> that expired key.
> 
> I was shocked when I realized this today, after reading this bug
> report I'm dumbfounded that you even consider this acceptable!

Sorry for this. I'm looking through the code now and it seems like
this caused by a misinterpretation of the gpg documentation for the
GOODSIG vs VALIDSIG status mesages (and is in the code since day 1 of
apt-secure :(

I'm working on a patch now and would appreicate help with the
testing/verification ones its ready.

Thanks,
 Michael

---

Message #80 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

I did some investigation and it seems like gpgv is sending the right
message, but the gpgv method in apt is not reading them
properly. There is also the problem that VALIDSIG is send even for
expired/revoked signatures and apt is checking for that (instead of
using GOODSIG). However the docs in doc/DETAILS in gpg make this
difference not clear. 

Attached is a possible fix. It does the following:

 * recognize KEYEXPIRED and KEYREVOKED messages from gpgv and put them
   into a new "WorthlessSignatures " vector
 * only listen for GOODSIG message from gpgv and ignore VALIDSIG (as
   GOODSIG is only send when the signature is not done with a expired or
   revoked key)
 * if there is no good signature, show a message that displays the
   worthless signatures to the user (including the KEYEXPIRED or
   KEYREVSIG bits to ensure there is a way to know what is going on)
 * if there is one (or more) good signature and worthless signatures,
   just ignore the worthless ones

That should hopefully cover the problem without breaking strings and
compatibility. Feedback/review/testing is very welcome. I tested it in
a etch chroot with various expired settings and it works as it should,
but I need to make a test-suit for it too.

Cheers,
 Michael

[gpgv.diff (text/x-diff, attachment)]

---

Message #85 received at 433091@bugs.debian.org (full text, mbox, reply):

also sprach Michael Vogt <mvo@debian.org> [2009.04.07.1739 +0200]:
> That should hopefully cover the problem without breaking strings and
> compatibility. Feedback/review/testing is very welcome. I tested it in
> a etch chroot with various expired settings and it works as it should,
> but I need to make a test-suit for it too.

Packages for amd64/i386 will be at
http://debian.madduck.net/repo/pool/main/a/apt/ shortly.

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

---

Message #90 received at 433091@bugs.debian.org (full text, mbox, reply):

also sprach martin f krafft <madduck@debian.org> [2009.04.07.1816 +0200]:
> Packages for amd64/i386 will be at
> http://debian.madduck.net/repo/pool/main/a/apt/ shortly.

I screwed up the version number, but the packages should work
anyway, and that's fine for testing purposes...

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

---

Message #95 received at 433091@bugs.debian.org (full text, mbox, reply):

On Tue, Apr 07, 2009 at 06:16:49PM +0200, martin f krafft wrote:
> also sprach Michael Vogt <mvo@debian.org> [2009.04.07.1739 +0200]:
> > That should hopefully cover the problem without breaking strings and
> > compatibility. Feedback/review/testing is very welcome. I tested it in
> > a etch chroot with various expired settings and it works as it should,
> > but I need to make a test-suit for it too.
> 
> Packages for amd64/i386 will be at
> http://debian.madduck.net/repo/pool/main/a/apt/ shortly.

Thanks a lot for this. I did a simple "test-suite" to test problem and
fix via:
$ bzr get lp:~mvo/+junk/apt-gpgv-tests
$ cd apt-gpgv-tests
$ sudo ./test.sh

It does test "good","expired","revoked","revoked+good","expired+good".

It should fail for expired and revoked (they are no good) but should
pass for revoked+good and expired+good. Basicly it will ignore expired
or revoked signatures if there is anohter valid signature on the
Release file.

Again, feedback/review is very welcome.

Cheers,
 Michael

---

Message #100 received at 433091@bugs.debian.org (full text, mbox, reply):

On Wed, Apr 08, 2009 at 10:09:30PM +0200, Michael Vogt wrote:
> On Tue, Apr 07, 2009 at 06:16:49PM +0200, martin f krafft wrote:
> > also sprach Michael Vogt <mvo@debian.org> [2009.04.07.1739 +0200]:
> > > That should hopefully cover the problem without breaking strings and
> > > compatibility. Feedback/review/testing is very welcome. I tested it in
> > > a etch chroot with various expired settings and it works as it should,
> > > but I need to make a test-suit for it too.
> > 
> > Packages for amd64/i386 will be at
> > http://debian.madduck.net/repo/pool/main/a/apt/ shortly.

I merged the diff into the apt debian-sid tree and will upload soon. I
would love to have some positivie test feedback before I do the
upload.

Thanks,
 Michael

---

Message #105 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

also sprach Michael Vogt <mvo@debian.org> [2009.04.09.0058 +0200]:
> I merged the diff into the apt debian-sid tree and will upload soon. I
> would love to have some positivie test feedback before I do the
> upload.

I just tried in a chroot and it doesn't look good:

pulse:~# apt-cache policy apt
apt:
  Installed: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1
  Candidate: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1
  Version table:
 *** 0.7.21~exp2~~mvo-gpgv-sigexpiry.1 0
        500 http://debian.madduck.net sid/main Packages
        100 /var/lib/dpkg/status
     0.7.20.2 0
        500 http://ftp.ch.debian.org sid/main Packages
pulse:~# apt-get update
Get:1 http://debian.madduck.net sid Release.gpg [197B]
Hit http://debian.madduck.net sid Release
Err http://debian.madduck.net sid Release

Get:2 http://debian.madduck.net sid Release [9914B]
Ign http://debian.madduck.net sid Release
Ign http://debian.madduck.net sid/main Packages/DiffIndex
Ign http://debian.madduck.net sid/main Sources/DiffIndex
Ign http://debian.madduck.net sid/main Packages
Ign http://debian.madduck.net sid/main Sources
Hit http://ftp.ch.debian.org sid Release.gpg
Hit http://debian.madduck.net sid/main Packages
Hit http://debian.madduck.net sid/main Sources
Hit http://ftp.ch.debian.org sid Release
Hit http://ftp.ch.debian.org sid/main Packages/DiffIndex
Hit http://ftp.ch.debian.org sid/main Sources/DiffIndex
Fetched 10.1kB in 0s (11.7kB/s)
Reading package lists... Done
W: GPG error: http://debian.madduck.net sid Release: The following signatures were invalid: KEYEXPIRED 1182334739
W: You may want to run apt-get update to correct these problems



But the key is not expired:

pulse:~# wget -q http://debian.madduck.net/repo/gpg/a4ba872bd5b9e51e.key.asc http://debian.madduck.net/repo/dists/sid/Release{,.gpg}
pulse:~# gpg --import < a4ba872bd5b9e51e.key.asc
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D5B9E51E: public key "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
pulse:~# gpg --verify Release.gpg Release
gpg: Signature made Tue Apr  7 16:36:50 2009 UTC using DSA key ID D5B9E51E
gpg: Good signature from "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5726 0E2A 6376 CB44 1AE9  0B77 A4BA 872B D5B9 E51E
pulse:~# gpg --list-keys a4ba872bd5b9e51e
pub   1024D/D5B9E51E 2006-06-07 [expires: 2010-06-30]
uid                  madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>



But at least I am now asked when I try to install packages from the
archive:

WARNING: The following packages cannot be authenticated!
  apt
Install these packages without verification [y/N]?


-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
"driving with a destination
 is like having sex to have children"
                                             -- backwater wayne miller

[digital_signature_gpg.asc (application/pgp-signature, inline)]

---

Message #110 received at 433091@bugs.debian.org (full text, mbox, reply):

On Thu, Apr 09, 2009 at 08:42:14AM +0200, martin f krafft wrote:
> also sprach Michael Vogt <mvo@debian.org> [2009.04.09.0058 +0200]:
> > I merged the diff into the apt debian-sid tree and will upload soon. I
> > would love to have some positivie test feedback before I do the
> > upload.
> 
> I just tried in a chroot and it doesn't look good:

Thanks a lot for testing the patch!
 
> pulse:~# apt-cache policy apt
[..]
> pulse:~# apt-get update
> Get:1 http://debian.madduck.net sid Release.gpg [197B]
> Hit http://debian.madduck.net sid Release
> Err http://debian.madduck.net sid Release
[..]
> W: GPG error: http://debian.madduck.net sid Release: The following signatures were invalid: KEYEXPIRED 1182334739
> W: You may want to run apt-get update to correct these problems

Could you please run (preferably only with the debian.madduck.net url):
# apt-get update -o debug::acquire::gpgv=true 
and attach the output? I just tested it on my system and it seems to
be working (your clock was not off for some reason, e.g. to test
expiring keys?).
 
> But the key is not expired:
> 
> pulse:~# wget -q http://debian.madduck.net/repo/gpg/a4ba872bd5b9e51e.key.asc http://debian.madduck.net/repo/dists/sid/Release{,.gpg}
> pulse:~# gpg --import < a4ba872bd5b9e51e.key.asc
> gpg: /root/.gnupg/trustdb.gpg: trustdb created
> gpg: key D5B9E51E: public key "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: no ultimately trusted keys found
> pulse:~# gpg --verify Release.gpg Release
[..]

Could you please also run:
# gpgv --status-fd 1 Release.gpg Release

 
Thanks!
 Michael

---

Message #115 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

weasel wrote:

> No GOODSIG.
> 
> So gpgv considers a signature valid that gpg doesn't.  That in itself
> should be a grave bug.

FWIW, /usr/share/doc/gnupg/DETAILS.gz says:


    GOODSIG     <long keyid>  <username>
        The signature with the keyid is good.  For each signature only
        one of the three codes GOODSIG, BADSIG or ERRSIG will be
        emitted and they may be used as a marker for a new signature.
        The username is the primary one encoded in UTF-8 and %XX
        escaped.

 [...]

    VALIDSIG   <fingerprint in hex> <sig_creation_date> <sig-timestamp>
               <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
               <hash-algo> <sig-class> <primary-key-fpr>

        The signature with the keyid is good. This is the same as
        GOODSIG but has the fingerprint as the argument. Both status
        lines are emitted for a good signature.  All arguments here
        are on one long line.  sig-timestamp is the signature creation
        time in seconds after the epoch. expire-timestamp is the
        signature expiration time in seconds after the epoch (zero
        means "does not expire"). sig-version, pubkey-algo, hash-algo,
        and sig-class (a 2-byte hex value) are all straight from the
        signature packet.  PRIMARY-KEY-FPR is the fingerprint of the
        primary key or identical to the first argument.  This is
        useful to get back to the primary key without running gpg
        again for this purpose.



So the documentation itself is unclear about the intended behavior.  Can
a signature be VALIDSIG but not GOODSIG?  What about the situation where
neither GOODSIG, BADSIG, nor ERRSIG show up, as is the case here?

i agree with weasel that this is currently a really bad situation.  It
is bad enough that gpg accepts a signature made by an expired key if the
signature was during the key's lifetime.  But it also does not
explicitly reject signatures that were made after a key is known to expire.

That is, Key A is valid beginning at time B, and expires at time E.
gnupg does not appear to distinguish between these cases:

 0) a signature made at time X where B < X < E

 1) a signature made at time X where B < E < X

At the very least, any signature made by a key *after* the key itself is
believed to be expired (case 1 above) should be considered
untrustworthy, but gpg (and gpg2, according to my tests) don't seem to
compare the date of the signature against the key expiration at all
(though they do compare it against the key creation timestamp).  They
*do* compare the key expiration time against "now", which is a good thing.

I'm attaching a tarball with an OpenPGP public key, a simple test file,
and two signatures made over the test file.  One of the signatures is
made within the lifespan of the key, and the other is made after the key
expires.

I'm not sure what is the right thing to do about this.  :(

	--dkg

[testsig.tgz (application/x-gtar, inline)]

[signature.asc (application/pgp-signature, attachment)]

---

Message #120 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

also sprach Michael Vogt <mvo@debian.org> [2009.04.09.0943 +0200]:
> Could you please run (preferably only with the debian.madduck.net
> url): # apt-get update -o debug::acquire::gpgv=true and attach the
> output? I just tested it on my system and it seems to be working
> (your clock was not off for some reason, e.g. to test expiring
> keys?).

I have not touched the clock at all.

pulse:/home/madduck# apt-get update -o debug::acquire::gpgv=true
Get:1 http://debian.madduck.net sid Release.gpg [197B]
Hit http://debian.madduck.net sid Release
99% [Working]inside VerifyGetSigners
gpgv path: /usr/bin/gpgv
Keyring path: /etc/apt/trusted.gpg
Preparing to exec: /usr/bin/gpgv /usr/bin/gpgv --status-fd 3 --ignore-time-conflict --keyring /etc/apt/trusted.gpg /var/lib/apt/lists/partial/debian.madduck.net_repo_dists_sid_Release.gpg /var/lib/apt/lists/debian.madduck.net_repo_dists_sid_Release
99% [Release gpgv 9914]Read: [GNUPG:] KEYEXPIRED 1182334739
Got KEYEXPIRED! 
Read: [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
Read: [GNUPG:] SIG_ID D2M7RKDiTEH9ZrZjtANG3Hfmnus 2009-04-07 1239122210
Read: [GNUPG:] EXPKEYSIG A4BA872BD5B9E51E madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>
Read: [GNUPG:] VALIDSIG 57260E2A6376CB441AE90B77A4BA872BD5B9E51E 2009-04-07 1239122210 0 4 0 17 2 00 57260E2A6376CB441AE90B77A4BA872BD5B9E51E
gpgv exited
Err http://debian.madduck.net sid Release
  
Get:2 http://debian.madduck.net sid Release [9914B]
99% [2 Release gpgv 9914]yGetSigners
gpgv path: /usr/bin/gpgv
Keyring path: /etc/apt/trusted.gpg
Preparing to exec: /usr/bin/gpgv /usr/bin/gpgv --status-fd 3 --ignore-time-conflict --keyring /etc/apt/trusted.gpg /var/lib/apt/lists/partial/debian.madduck.net_repo_dists_sid_Release.gpg /var/lib/apt/lists/debian.madduck.net_repo_dists_sid_Release
Read: [GNUPG:] KEYEXPIRED 1182334739
Got KEYEXPIRED! 
Read: [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
Read: [GNUPG:] SIG_ID D2M7RKDiTEH9ZrZjtANG3Hfmnus 2009-04-07 1239122210
Read: [GNUPG:] EXPKEYSIG A4BA872BD5B9E51E madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>
Read: [GNUPG:] VALIDSIG 57260E2A6376CB441AE90B77A4BA872BD5B9E51E 2009-04-07 1239122210 0 4 0 17 2 00 57260E2A6376CB441AE90B77A4BA872BD5B9E51E
gpgv exited
Ign http://debian.madduck.net sid Release
Ign http://debian.madduck.net sid/main Packages/DiffIndex
Ign http://debian.madduck.net sid/main Sources/DiffIndex
Ign http://debian.madduck.net sid/main Packages
Ign http://debian.madduck.net sid/main Sources
Hit http://debian.madduck.net sid/main Packages
Hit http://debian.madduck.net sid/main Sources
Fetched 10.1kB in 0s (72.3kB/s)
Reading package lists... Done
W: GPG error: http://debian.madduck.net sid Release: The following signatures were invalid: KEYEXPIRED 1182334739
W: You may want to run apt-get update to correct these problems

> > pulse:~# wget -q http://debian.madduck.net/repo/gpg/a4ba872bd5b9e51e.key.asc http://debian.madduck.net/repo/dists/sid/Release{,.gpg}
> > pulse:~# gpg --import < a4ba872bd5b9e51e.key.asc
> > gpg: /root/.gnupg/trustdb.gpg: trustdb created
> > gpg: key D5B9E51E: public key "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1
> > gpg: no ultimately trusted keys found
> > pulse:~# gpg --verify Release.gpg Release
> [..]
> 
> Could you please also run:
> # gpgv --status-fd 1 Release.gpg Release

After playing around with this and having to use --keyring,
I eventually found out that I hadn't updated the key in
/etc/apt/trusted.gpg in the chroot. :)

So it seems to work. Thanks!

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
fitter, healthier, more productive
like a pig, in a cage, on antibiotics
                                                          -- radiohead

[digital_signature_gpg.asc (application/pgp-signature, inline)]

---

Message #125 received at 433091-close@bugs.debian.org (full text, mbox, reply):

Source: apt
Source-Version: 0.7.21

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.7.21_all.deb
  to pool/main/a/apt/apt-doc_0.7.21_all.deb
apt-transport-https_0.7.21_i386.deb
  to pool/main/a/apt/apt-transport-https_0.7.21_i386.deb
apt-utils_0.7.21_i386.deb
  to pool/main/a/apt/apt-utils_0.7.21_i386.deb
apt_0.7.21.dsc
  to pool/main/a/apt/apt_0.7.21.dsc
apt_0.7.21.tar.gz
  to pool/main/a/apt/apt_0.7.21.tar.gz
apt_0.7.21_i386.deb
  to pool/main/a/apt/apt_0.7.21_i386.deb
libapt-pkg-dev_0.7.21_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.7.21_i386.deb
libapt-pkg-doc_0.7.21_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.7.21_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 433091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Apr 2009 14:12:51 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.21
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 433091 513211 513311 513843 518070 520403 520403 520430 522222
Changes: 
 apt (0.7.21) unstable; urgency=low
 .
   [ Christian Perrier ]
   * Translations:
     - bg.po. Closes: #513211
     - zh_TW.po. Closes: #513311
     - nb.po. Closes: #513843
     - fr.po. Closes: #520430
     - sv.po. Closes: #518070
     - sk.po. Closes: #520403
     - it.po. Closes: #522222
     - sk.po. Closes: #520403
 .
   [ Jamie Strandboge ]
   * apt.cron.daily: catch invalid dates due to DST time changes
     in the stamp files
 .
   [ Michael Vogt ]
   * methods/gpgv.cc:
     - properly check for expired and revoked keys (closes: #433091)
   * apt-pkg/contrib/strutl.cc:
     - fix TimeToStr i18n (LP: #289807)
   * [ABI break] merge support for http redirects, thanks to
     Jeff Licquia and Anthony Towns
   * [ABI break] use int for the package IDs (thanks to Steve Cotton)
   * apt-pkg/pkgcache.cc:
     - do not run "dpkg --configure pkg" if pkg is in trigger-awaited
       state (LP: #322955)
   * methods/https.cc:
     - add Acquire::https::AllowRedirect support
   * Clarify the --help for 'purge' (LP: #243948)
   * cmdline/apt-get.cc
     - fix "apt-get source pkg" if there is a binary package and
       a source package of the same name but from different
       packages (LP: #330103)
 .
   [ Colin Watson ]
   * cmdline/acqprogress.cc:
     - Call pkgAcquireStatus::Pulse even if quiet, so that we still get
       dlstatus messages on the status-fd (LP: #290234).
Checksums-Sha1: 
 30c17caedc9d91d0827f52cb2542a689006d944c 1212 apt_0.7.21.dsc
 955864538e5f812406b9054825649667cb8f5ce8 2054363 apt_0.7.21.tar.gz
 d24e98a402a48fc48e05d64be4a7364d35a58e88 100546 apt-doc_0.7.21_all.deb
 9b0109e3749cf53b9406746a91f6c1191e3df33a 124512 libapt-pkg-doc_0.7.21_all.deb
 4fde24a6df97b5fdad6b92cce8218860814b16eb 1608880 apt_0.7.21_i386.deb
 fad84a990a7dcadd50f981e18e453d45306225bf 109496 libapt-pkg-dev_0.7.21_i386.deb
 9c41acec6ca1a571049781476b82ea18d40f8a38 187820 apt-utils_0.7.21_i386.deb
 8d78d69200dd41bb0191f9944781af8ad113e3ec 58932 apt-transport-https_0.7.21_i386.deb
Checksums-Sha256: 
 f8aff84dc9118b1e3d725b0b337b94fbb587c57bae81dcda5299f0870ff3a1d5 1212 apt_0.7.21.dsc
 99b2fc7ce3bb6b64f289f44e8cc7ee1345e3ef74a37d3402924008b4a692eadb 2054363 apt_0.7.21.tar.gz
 425316f048f70f023dd2e3eeca1b6d56bcc10617d55b66c4665d5fee795fc6f6 100546 apt-doc_0.7.21_all.deb
 c76a01a8482577fe38ec023f605ec2c7d6b32c50a29743be6162ef5f26928885 124512 libapt-pkg-doc_0.7.21_all.deb
 f1499b99496c5bc5290af209601dbe894675fbfed124c8ec4cd84a0fdc8936e5 1608880 apt_0.7.21_i386.deb
 7b9c828f6ab77af46252f3f1fa95c2a7a80b40b925581b3159b9f3ee0dfc1f4a 109496 libapt-pkg-dev_0.7.21_i386.deb
 ffab9c01ee2b8e420ff3466ab884a3442d10aeccaff010c2509296d1434a7ecd 187820 apt-utils_0.7.21_i386.deb
 771bc0754803b6587fcb51e55ea89e15fd52ccbb68147e0bddc358baf0b65e56 58932 apt-transport-https_0.7.21_i386.deb
Files: 
 af08202f8a7c47e8ed9cd519fa2dae09 1212 admin important apt_0.7.21.dsc
 d814cbf5fd83105fa3d600fa4de3bab4 2054363 admin important apt_0.7.21.tar.gz
 72e58e18425e7cad79a7a35d0b760ae4 100546 doc optional apt-doc_0.7.21_all.deb
 b966cbde4c85439a12d5fc784cbbb4c3 124512 doc optional libapt-pkg-doc_0.7.21_all.deb
 31a6ce78a372a93d2f691a6dbe090ff1 1608880 admin important apt_0.7.21_i386.deb
 15e5ee61a8ec0da5e1b6da0787d52346 109496 libdevel optional libapt-pkg-dev_0.7.21_i386.deb
 2c9ae6be375be28287474efa66cd8a0b 187820 admin important apt-utils_0.7.21_i386.deb
 0954a0535bb70851e465cbbfb4360630 58932 admin optional apt-transport-https_0.7.21_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknllqUACgkQliSD4VZixzR+FwCgnvOyv/JAKExVnJ1ZW0Z5+eza
QfkAn0UYaYt4o7voHq03XsONhGRvFlxc
=dh0r
-----END PGP SIGNATURE-----

---

Message #130 received at 433091@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

This is CVE-2009-1358.
Please reference it in the appropriate changelog entry.

Thanks,
Thijs

[signature.asc (application/pgp-signature, inline)]

---

Message #135 received at 433091-close@bugs.debian.org (full text, mbox, reply):

Source: apt
Source-Version: 0.7.20.2+lenny1

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.7.20.2+lenny1_all.deb
  to pool/main/a/apt/apt-doc_0.7.20.2+lenny1_all.deb
apt-transport-https_0.7.20.2+lenny1_i386.deb
  to pool/main/a/apt/apt-transport-https_0.7.20.2+lenny1_i386.deb
apt-utils_0.7.20.2+lenny1_i386.deb
  to pool/main/a/apt/apt-utils_0.7.20.2+lenny1_i386.deb
apt_0.7.20.2+lenny1.dsc
  to pool/main/a/apt/apt_0.7.20.2+lenny1.dsc
apt_0.7.20.2+lenny1.tar.gz
  to pool/main/a/apt/apt_0.7.20.2+lenny1.tar.gz
apt_0.7.20.2+lenny1_i386.deb
  to pool/main/a/apt/apt_0.7.20.2+lenny1_i386.deb
libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
libapt-pkg-doc_0.7.20.2+lenny1_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 433091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 19 Apr 2009 21:23:46 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes: 
 apt (0.7.20.2+lenny1) stable-security; urgency=high
 .
   * debian/apt.cron.daily:
     - fix possible DST timestamp releated auto-update problem
       (CVE-2009-1300, closes: #523213)
   * methods/gpgv.cc:
     - properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1: 
 80d7d53646c2e3fd3604b7d6dc507fb68ed6357d 1540 apt_0.7.20.2+lenny1.dsc
 bdb5687a0ade523d395da3bf21bddfb5ebb31f9a 2043258 apt_0.7.20.2+lenny1.tar.gz
 07f88ed68e5d5576e8ab28e2bec144f74147be68 102110 apt-doc_0.7.20.2+lenny1_all.deb
 3a1590b2a583928cb1f2bac9f7e150e69e2db562 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
 10c8643be9c1725f266349f8ec9cb16afffedb0b 1639116 apt_0.7.20.2+lenny1_i386.deb
 ef2602d7b81295cc70f0f3fec01837d493f1f848 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
 d0acf24212f4ae67bc5259cbb009c23f95274115 188158 apt-utils_0.7.20.2+lenny1_i386.deb
 aef12bbd95a37b1a1e2870ab0ba78be769d5b800 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Checksums-Sha256: 
 1d2459ddfcf220064412b4053ea9248c0107c8800710852372abba6e97f2bbad 1540 apt_0.7.20.2+lenny1.dsc
 fd8091400ab45b24950211dd22f1a26457adbd4e37a9d13923aed57e8a9c5269 2043258 apt_0.7.20.2+lenny1.tar.gz
 2b8e00bcc16992d5df403c67e27e0d89b97ea49b5febde5a50f20846e10db8d8 102110 apt-doc_0.7.20.2+lenny1_all.deb
 e5be5ac36657d1e52d4c6b7124f5c0a8f874e27b37112f9599d5ad3a1e8fe6de 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
 0c376bf8208292c3b1100a61e40adab95501d2f7cc2e6cabbd70643cfb70f733 1639116 apt_0.7.20.2+lenny1_i386.deb
 2f7a1a8903aac858d4dc23bb483948c6ee0849a296a9cf6cf8030ee77572c45c 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
 5a75db904448e43a0713b68622f90fbb2ab87c7468fee5a67eeb39ce43075bb0 188158 apt-utils_0.7.20.2+lenny1_i386.deb
 e04bd88a41f174bff59e5b8227fdaeb0903c1537459ffdaeb5ed31d17e4d366a 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Files: 
 60e740d25e23101d5f7a9c90b90ee698 1540 admin important apt_0.7.20.2+lenny1.dsc
 c23dc4256af67c1644a9dbc5ae0115c8 2043258 admin important apt_0.7.20.2+lenny1.tar.gz
 099c1c85cb08d668e9e4668516ebc763 102110 doc optional apt-doc_0.7.20.2+lenny1_all.deb
 68c3671fa441778e16dbbe838cc893e5 125292 doc optional libapt-pkg-doc_0.7.20.2+lenny1_all.deb
 f2021728f2e92ffe32f7eb1bdc2d6231 1639116 admin important apt_0.7.20.2+lenny1_i386.deb
 e5ac47a6a1892c8ae12b0c25136b163d 107586 libdevel optional libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
 a0f4a903e2fc11d9d6535d310e7f5a9e 188158 admin important apt-utils_0.7.20.2+lenny1_i386.deb
 68cbda40b139645b347d3168e09c722b 58824 admin optional apt-transport-https_0.7.20.2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJ7NNGAAoJECIIoQCMVaAcWmYIAIxLk0Hbhs9eOAt4asY5U4/g
8Brl5T2Fj+W7QB9sclmohdsejy6sVqPB34Wxscfdff1EacVMv2ZeLPWiQmx1GaEV
T5LiMlxbDMAhyVYnRRfKqLiguH0zXbZOc8wfehe2l1Lk8WzHpfJ2KBxPaAHBnyKC
atpd4rSutNPfyF+8uV9oD5/PqmdSecFrO56hw3rrVNTJiOO+YAjtZDn+cwPRm+Er
ldxzn1fTbT7g4IwwUVab93TeZxSbQqYjZbiI9Dgm5Y7pPnJJnHHVN+spUnYGdpvM
dVwU5LnULsc1GqHoovsXzcmZYVHx5b+7Ve1Y4MosG6rJogGrPQLRb3Lk6vqoDt8=
=i8fJ
-----END PGP SIGNATURE-----

---

Message #140 received at 433091-close@bugs.debian.org (full text, mbox, reply):

Source: apt
Source-Version: 0.6.46.4-0.1+etch4

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.6.46.4-0.1+etch4_all.deb
  to pool/main/a/apt/apt-doc_0.6.46.4-0.1+etch4_all.deb
apt-utils_0.6.46.4-0.1+etch4_i386.deb
  to pool/main/a/apt/apt-utils_0.6.46.4-0.1+etch4_i386.deb
apt_0.6.46.4-0.1+etch4.dsc
  to pool/main/a/apt/apt_0.6.46.4-0.1+etch4.dsc
apt_0.6.46.4-0.1+etch4.tar.gz
  to pool/main/a/apt/apt_0.6.46.4-0.1+etch4.tar.gz
apt_0.6.46.4-0.1+etch4_i386.deb
  to pool/main/a/apt/apt_0.6.46.4-0.1+etch4_i386.deb
libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 433091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 19 Apr 2009 21:06:46 +0200
Source: apt
Binary: apt-utils libapt-pkg-doc libapt-pkg-dev apt-doc apt
Architecture: source all i386
Version: 0.6.46.4-0.1+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes: 
 apt (0.6.46.4-0.1+etch4) oldstable-security; urgency=high
 .
   * debian/apt.cron.daily:
     - fix possible DST timestap releated auto-update problem
       (CVE-2009-1300, closes: #523213)
   * methods/gpgv.cc:
     - properly check for expired and revoked keys (closes: #433091)
Files: 
 c631100edac082afe2dddb28030ed6ff 1108 admin important apt_0.6.46.4-0.1+etch4.dsc
 e6eaebb8a12f5243668ca56e65c8c71e 1798703 admin important apt_0.6.46.4-0.1+etch4.tar.gz
 999f34683b7cb7818258ac1ebfca701c 89752 doc optional apt-doc_0.6.46.4-0.1+etch4_all.deb
 b91e59e2e1093ecbe387ccc7e8111d73 112248 doc optional libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb
 73f115b27de4fdf11af97e2b5afca613 1438190 admin important apt_0.6.46.4-0.1+etch4_i386.deb
 6aa9a63c060eb0461b66f67e35ed20c7 84166 libdevel optional libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
 7245c5ea84b1c4eefa816af20868a794 198392 admin important apt-utils_0.6.46.4-0.1+etch4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJ7ZDZAAoJECIIoQCMVaAcYgQH+wXRkiChxfmz1vuiqDe1yx/K
a5T5c+zb/mrY1Q3M0zh/p0sB9xmE6XBC9c4UYEX3qLS/V0PJ4eND1DHyT8qBtm67
mB2G/+U0MDFB607l5vCIstSchgJP9XTLA7cdvTudQCgEihYhvXpySSzHNPcn+WHv
Bb5fTvcERQ7zVfjFv2tySyn/y5dwssqf0dwm625NuYc75oD1eVHZ+vpX1WVMHI4K
795kdmDE7X0/vbg0P6CIZn4xRo1P/JLuhzZt1f7facB0mCLnHphHKhB2e7vBHECu
OPqW9ryZsPDD34Zs/v0UPosYqFOwyrY8JMyJQog2/VljHqhAVB1/A4aZShLuwIw=
=9jPa
-----END PGP SIGNATURE-----

---

Message #145 received at 433091-close@bugs.debian.org (full text, mbox, reply):

Source: apt
Source-Version: 0.7.20.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.7.20.2+squeeze1_all.deb
  to pool/main/a/apt/apt-doc_0.7.20.2+squeeze1_all.deb
apt-transport-https_0.7.20.2+squeeze1_i386.deb
  to pool/main/a/apt/apt-transport-https_0.7.20.2+squeeze1_i386.deb
apt-utils_0.7.20.2+squeeze1_i386.deb
  to pool/main/a/apt/apt-utils_0.7.20.2+squeeze1_i386.deb
apt_0.7.20.2+squeeze1.dsc
  to pool/main/a/apt/apt_0.7.20.2+squeeze1.dsc
apt_0.7.20.2+squeeze1.tar.gz
  to pool/main/a/apt/apt_0.7.20.2+squeeze1.tar.gz
apt_0.7.20.2+squeeze1_i386.deb
  to pool/main/a/apt/apt_0.7.20.2+squeeze1_i386.deb
libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 433091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 05 May 2009 15:37:03 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+squeeze1
Distribution: testing-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes: 
 apt (0.7.20.2+squeeze1) testing-security; urgency=high
 .
   * debian/apt.cron.daily:
     - fix possible DST timestamp releated auto-update problem
       (CVE-2009-1300, closes: #523213)
   * methods/gpgv.cc:
     - properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1: 
 fe2ce2e9f49343fef4b371efbf3b2bf1e3f7b942 1256 apt_0.7.20.2+squeeze1.dsc
 b8523f3cc7bb81355f4b6702a6e6efd2c2aa20dd 2044030 apt_0.7.20.2+squeeze1.tar.gz
 e2f9c7fef94f911aba002490d57e3898f98ac4a5 99974 apt-doc_0.7.20.2+squeeze1_all.deb
 7d9d3e0bd339a9db541602c73842291fc1a5dedd 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
 9b242d6f1fe1f225c8b24fd548ccfb9298eb4bc1 1628232 apt_0.7.20.2+squeeze1_i386.deb
 ee83f97fdb2dfffd0a07ed90fcfc1c3c89c2549b 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
 d2eea9704693e4f0a4b4ff9424cd23e1366bbfe6 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
 2ae45b806c0b0cc8aa4e22040088be76a5e1a302 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Checksums-Sha256: 
 dd175ff29e5489eb8937170bfc851f538ef5483f894c62b507259389461ad209 1256 apt_0.7.20.2+squeeze1.dsc
 6d5fd840fba4fb7baacd2802abf0a89588aaa0b0d64b90b28015ea272278003b 2044030 apt_0.7.20.2+squeeze1.tar.gz
 bfafcb1b7dd33567cdd2314a22c113237a85fd1b27f5ef39434aeeb81cb3a982 99974 apt-doc_0.7.20.2+squeeze1_all.deb
 e7eaa5f035e54c5c3a96adb78dd2965c8f4485c2d4428f738109a9a7d836d149 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
 7ea5ceaf0fbae59613351a11cb222191f93c00edd0c31999b6afd42076d0866a 1628232 apt_0.7.20.2+squeeze1_i386.deb
 00d4e5d4d342af6d31616aef595d0ce9bf1a9ed17b4e98767a96ea28c2ac6f21 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
 23b2db6e64b80b0f2ef406d28e9af07878e12ff1a12c151fcfcf28e4c9261f33 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
 aeddbb1c88465fb199eb08db57247500093bbd1dde434dba6dea1d24a9d06f64 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Files: 
 337d5d3f86d65005905029eb272415bf 1256 admin important apt_0.7.20.2+squeeze1.dsc
 7a68e55346cf8ec2cf2019e0959e5907 2044030 admin important apt_0.7.20.2+squeeze1.tar.gz
 f7c4871dd7e7242fc04c15c0ca45dc7e 99974 doc optional apt-doc_0.7.20.2+squeeze1_all.deb
 d7d02f781c56217438ecd176bee1a515 124124 doc optional libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
 f6e27ef8e207a4660161cd71d8474487 1628232 admin important apt_0.7.20.2+squeeze1_i386.deb
 aaeefc58ae6ca8d928bd7fdaddb86efa 109144 libdevel optional libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
 5e7aba28edf7976597336c89545cefbf 188466 admin important apt-utils_0.7.20.2+squeeze1_i386.deb
 fab50bd430585e9ac3128e041177448b 58674 admin optional apt-transport-https_0.7.20.2+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoAQb0ACgkQHYflSXNkfP9ZyQCgp3hPfN1XPMz/QrJ9khUArUY9
Z+IAnjSuBN3GVIBmOIzW85M/cVSirnlh
=WAqS
-----END PGP SIGNATURE-----

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:53:52 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.