Debian Bug report logs - #346002
apt: GPG error when updating

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Ferenczi Viktor <letezo@fw.hu>

Date: Wed, 4 Jan 2006 19:33:01 UTC

Severity: serious

Tags: d-i

Merged with 345823, 345891, 345956, 347540

Found in version apt/0.6.43

Fixed in version 0.6.43.1

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Ferenczi Viktor <letezo@fw.hu>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ferenczi Viktor <letezo@fw.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: GPG error when updating
Date: Wed, 04 Jan 2006 20:25:34 +0100
Package: apt
Version: 0.6.43
Severity: normal


I got an unusal GPG error when updating with apt-get update:

# apt-get update
Letöltés:1 http://ftp.us.debian.org unstable Release.gpg [378B]
Találat http://ftp.us.debian.org unstable Release
Mellőz http://ftp.us.debian.org unstable Release
Találat ftp://ftp.tu-graz.ac.at unstable Release.gpg
Találat http://ftp.us.debian.org unstable/main Packages
Találat ftp://ftp.tu-graz.ac.at unstable Release
Találat ftp://ftp.tu-graz.ac.at unstable/main Packages
Találat ftp://ftp.tu-graz.ac.at unstable/contrib Packages
Találat ftp://ftp.tu-graz.ac.at unstable/non-free Packages
Találat http://ftp.us.debian.org unstable/contrib Packages
Találat http://ftp.us.debian.org unstable/non-free Packages
Találat http://ftp.us.debian.org unstable/main Sources
Találat http://ftp.us.debian.org unstable/contrib Sources
Találat http://ftp.us.debian.org unstable/non-free Sources
Találat ftp://ftp.tu-graz.ac.at unstable/main Sources
Találat ftp://ftp.tu-graz.ac.at unstable/contrib Sources
Találat ftp://ftp.tu-graz.ac.at unstable/non-free Sources
Letöltve 378B 2s alatt (138B/s)
Csomaglisták olvasása... Kész
W: GPG error: http://ftp.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
W: Próbáld futtatni az apt-get update -et, hogy javítsd ezeket a problémákat

Last message (in Hungarian): "Try to rerun apt-get update to resolve problems"

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "unstable";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --

# Local
#deb file:/var/local/dpkg unstable main

# Debian on s1 + security update
#deb http://192.168.0.1/debian1/ sarge main contrib
#deb http://192.168.0.1/debian2/ sarge main contrib
#deb http://security.debian.org/ stable/updates main contrib

# Hungary
#deb ftp://ftp.hu.debian.org/debian unstable main contrib non-free
#deb-src ftp://ftp.hu.debian.org/debian unstable main contrib non-free

# Austria

# Mostanában nem megy:
#deb ftp://debian.inode.at/debian/ unstable main contrib non-free
#deb-src ftp://debian.inode.at/debian/ unstable main contrib non-free

# Ez meg tetü lassú:
#deb ftp://gd.tuwien.ac.at/opsys/linux/debian/ unstable main contrib non-free
#deb-src ftp://gd.tuwien.ac.at/opsys/linux/debian/ unstable main contrib non-free

# Viszonylag lassú, de működik:
#deb ftp://ftp.at.debian.org/debian unstable main contrib non-free
#deb-src ftp://ftp.at.debian.org/debian unstable main contrib non-free

deb ftp://ftp.tu-graz.ac.at/mirror/debian/ unstable main contrib non-free
deb-src ftp://ftp.tu-graz.ac.at/mirror/debian/ unstable main contrib non-free

# Global
#deb ftp://ftp.debian.org/debian/ unstable main contrib non-free
#deb-src ftp://ftp.debian.org/debian/ unstable main contrib non-free

# Non-US
#deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free

#deb http://ftp.uk.debian.org/debian/ unstable main contrib non-free
#deb-src http://ftp.uk.debian.org/debian/ unstable main contrib non-free

#deb http://ftp.de.debian.org/debian/ unstable main contrib non-free
#deb-src http://ftp.de.debian.org/debian/ unstable main contrib non-free

#deb http://ftp2.de.debian.org/debian/ unstable main contrib non-free
#deb-src http://ftp2.de.debian.org/debian/ unstable main contrib non-free

deb http://ftp.us.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.us.debian.org/debian/ unstable main contrib non-free

# Non-US
#deb-src http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-sirius-20051219-0354
Locale: LANG=hu_HU, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages apt depends on:
ii  libc6                         2.3.5-9    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-5  GCC support library
ii  libstdc++6                    4.0.2-5    The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information



Severity set to `serious'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891 346002. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891 345956 346002. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 346002@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 346002@bugs.debian.org, Ferenczi Viktor <letezo@fw.hu>
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Wed, 04 Jan 2006 21:17:26 +0000
# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks

On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
> 
> 
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://ftp.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.

Regards,

Adam



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Harald Dunkel <harald.dunkel@t-online.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 346002@bugs.debian.org (full text, mbox):

From: Harald Dunkel <harald.dunkel@t-online.de>
To: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>, 346002@bugs.debian.org
Cc: Ferenczi Viktor <letezo@fw.hu>
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Thu, 05 Jan 2006 12:02:53 +0100
[Message part 1 (text/plain, inline)]
Adam D. Barratt wrote:
> # BTS control commands
> package apt
> # Raising severities as per the rationale in #345891
> severity 346002 serious
> severity 345823 serious
> severity 345956 serious
> merge 346002 345823 345956 345891

This happened before. Please check #316915.

Is there any way to switch this signature checking off?


Many thanx

Harri
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #30 received at 346002@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: Harald Dunkel <harald.dunkel@t-online.de>, 346002@bugs.debian.org
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Fri, 6 Jan 2006 10:15:25 +0100
On Thu, Jan 05, 2006 at 12:02:53PM +0100, Harald Dunkel wrote:
[..]
> Is there any way to switch this signature checking off?

You can run apt-get with "--allow-unauthenticated" or
APT::Get::AllowUnauthenticated=true in apt.conf

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Harald Dunkel <harald.dunkel@t-online.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #35 received at 346002@bugs.debian.org (full text, mbox):

From: Harald Dunkel <harald.dunkel@t-online.de>
To: Michael Vogt <mvo@debian.org>, 346002@bugs.debian.org
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Sun, 08 Jan 2006 09:28:24 +0100
[Message part 1 (text/plain, inline)]
Michael Vogt wrote:
> 
> You can run apt-get with "--allow-unauthenticated" or
> APT::Get::AllowUnauthenticated=true in apt.conf
> 

Thanx for the hint, but this option just changed the error
message. Now I get:

W: There are no public key available for the following key IDs:
010908312D230C5F
W: You may want to run apt-get update to correct these problems


Regards

Harri
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #40 received at 346002@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: Harald Dunkel <harald.dunkel@t-online.de>, 346002@bugs.debian.org
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Sun, 8 Jan 2006 16:05:35 +0100
On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> Michael Vogt wrote:
> > You can run apt-get with "--allow-unauthenticated" or
> > APT::Get::AllowUnauthenticated=true in apt.conf
> 
> Thanx for the hint, but this option just changed the error
> message. Now I get:
> 
> W: There are no public key available for the following key IDs:
> 010908312D230C5F
> W: You may want to run apt-get update to correct these problems

The warning is justified IMHO because the user should be told that
there is are signatures on the Release file for that no public key is
available. The Debian Release should should still be authenticated now
(because it found a valid signature from a trusted key and only a
missing signature) and you should get no authenticated packages
warnings anymore.

Maybe I should reword the warning to make it more clear what it
means?

Cheers,
 Michael
 
-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Mark Hedges <hedges@ucsd.edu>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #45 received at 346002@bugs.debian.org (full text, mbox):

From: Mark Hedges <hedges@ucsd.edu>
To: mvo@debian.org
Cc: 346002@bugs.debian.org
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Mon, 9 Jan 2006 13:13:57 -0800 (PST)
> On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> > Michael Vogt wrote:
> > > You can run apt-get with "--allow-unauthenticated" or
> > > APT::Get::AllowUnauthenticated=true in apt.conf
> >
> > Thanx for the hint, but this option just changed the error
> > message. Now I get:
> >
> > W: There are no public key available for the following key IDs:
> > 010908312D230C5F
> > W: You may want to run apt-get update to correct these problems
>
> The warning is justified IMHO because the user should be told that
> there is are signatures on the Release file for that no public key is
> available. The Debian Release should should still be authenticated now
> (because it found a valid signature from a trusted key and only a
> missing signature) and you should get no authenticated packages
> warnings anymore.
>
> Maybe I should reword the warning to make it more clear what it
> means?

I still got this error as of this morning on `apt-get update`:

    W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

  mhedges@mhedges:~$ sudo apt-key update
  ERROR: Can't find the archive-keyring
  Is the debian-keyring package installed?
  mhedges@mhedges:~$ sudo apt-get install debian-keyring
  Reading package lists... Done
  Building dependency tree... Done
  debian-keyring is already the newest version.
  0 upgraded, 0 newly installed, 0 to remove and 64 not upgraded.

I tried installing just the upgrade of apt and apt-utils without
verification but it didn't help.  Same error.  Is the relevant
key in some other package?

I finally got sick of waiting and answered 'Y' to dist-upgrade's question:

    WARNING: The following packages cannot be authenticated!
    ...
    Install these packages without verification [y/N]? y

After that, I *still* get the same error for `apt-get update`:

    W: There are no public key available for the following key IDs: 010908312D230C5F

Will there be some way to go back and verify package integrity
after this gets fixed?  Reinstall these packages?

Thanks for looking into it....

Mark



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#346002; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #50 received at 346002@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: Mark Hedges <hedges@ucsd.edu>, 346002@bugs.debian.org
Subject: Re: Bug#346002: apt: GPG error when updating
Date: Tue, 10 Jan 2006 10:18:07 +0100
On Mon, Jan 09, 2006 at 01:13:57PM -0800, Mark Hedges wrote:
> > On Sun, Jan 08, 2006 at 09:28:24AM +0100, Harald Dunkel wrote:
> > > Michael Vogt wrote:
> > > > You can run apt-get with "--allow-unauthenticated" or
> > > > APT::Get::AllowUnauthenticated=true in apt.conf
> > >
> > > Thanx for the hint, but this option just changed the error
> > > message. Now I get:
> > >
> > > W: There are no public key available for the following key IDs:
> > > 010908312D230C5F
> > > W: You may want to run apt-get update to correct these problems
> >
> > The warning is justified IMHO because the user should be told that
> > there is are signatures on the Release file for that no public key is
> > available. The Debian Release should should still be authenticated now
> > (because it found a valid signature from a trusted key and only a
> > missing signature) and you should get no authenticated packages
> > warnings anymore.
> >
> > Maybe I should reword the warning to make it more clear what it
> > means?
> 
> I still got this error as of this morning on `apt-get update`:
> 
>     W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

This is excepted as only apt version 0.6.43.1 contains support to
verify against multiple signatures on a Relase file.
 
>   mhedges@mhedges:~$ sudo apt-key update
>   ERROR: Can't find the archive-keyring
>   Is the debian-keyring package installed?
>   mhedges@mhedges:~$ sudo apt-get install debian-keyring
>   Reading package lists... Done
>   Building dependency tree... Done
>   debian-keyring is already the newest version.
>   0 upgraded, 0 newly installed, 0 to remove and 64 not upgraded.
> 
> I tried installing just the upgrade of apt and apt-utils without
> verification but it didn't help.  Same error.  Is the relevant
> key in some other package?

The relevant key is in the debian-archive-keyring package that is not
yet in the archive. 

> I finally got sick of waiting and answered 'Y' to dist-upgrade's question:
> 
>     WARNING: The following packages cannot be authenticated!
>     ...
>     Install these packages without verification [y/N]? y
> 
> After that, I *still* get the same error for `apt-get update`:
> 
>     W: There are no public key available for the following key IDs: 010908312D230C5F

This is the warning that was discussed above (that probably needs some
rewording, suggestions are welcome). It tells you that there is a
missing key (that in itself is not fatal because of the good signature
on the release file with the 2005 key). So now your packages should
be authenticated again.

> Will there be some way to go back and verify package integrity
> after this gets fixed?  Reinstall these packages?

The easiest is to just add the new key with apt-key add by hand.  You
can also install the new apt and/or the debian-archive-keyring package
(when it enters the archive). Then apt-get clean, apt-get update,
apt-get install --reinstall apt. This will make sure that apt is ok,
then proceed with the installing. Far from ideal, sorry for the bumpy
road. But the next key rollover should be much smoother.

Cheers,
 Michael
-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Merged 345823 345891 345956 346002 347540. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:57:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:12:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.