apt-get source <package> fails to verify signatures on any packages
$ apt-get source dpkg-dev Reading package lists... Done Picking 'dpkg' as source package instead of 'dpkg-dev' Selected version '1.18.10' (testing) for dpkg NOTICE: 'dpkg' packaging is maintained in the 'Git' version control system at: https://anonscm.debian.org/git/dpkg/dpkg.git Please use: git clone https://anonscm.debian.org/git/dpkg/dpkg.git to retrieve the latest (possibly unreleased) updates to the package. Need to get 4,647 kB of source archives. Get:1 http://10.1.0.3:3142/auto.mirror.devuan.org/merged ascii/main dpkg 1.18.10 (dsc) [2,030 B] Get:2 http://10.1.0.3:3142/auto.mirror.devuan.org/merged ascii/main dpkg 1.18.10 (tar) [4,645 kB] Fetched 4,647 kB in 3s (1,386 kB/s) gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/omega/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Sun 31 Jul 2016 15:34:20 BST gpgv: using RSA key B972BF3EA4AE57A3 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./dpkg_1.18.10.dsc dpkg-source: info: extracting dpkg in dpkg-1.18.10 dpkg-source: info: unpacking dpkg_1.18.10.tar.xz
Ignoring the other errors, the key bit here is 'gpgv: Can't check signature: No public key'.
After some investigation, it turns out that Devuan is missing a bit of distro-specific customisation to separate it from Debian - in '/etc/dpkg/origins', Devuan is clearly a different 'vendor' from Debian. Through this, the dpkg system wants to find the 'Devuan' vendor when its looking for configuration.
The tool that actually forks off gpgv to check the *.dsc file is dpkg-source, and in order to determine the keyring arguments to pass to gpgv, it checks the appropriate 'vendor' perl module (why isn't this in some normal config file??) - these are stored in '/usr/share/perl5/Dpkg/Vendor'. Note there is no Devuan.pm here.
So in the normal case, Debian.pm:run_hook is called with 'keyrings', and subsequently returns '/usr/share/keyrings/debian-keyring.gpg' and '/usr/share/keyrings/debian-maintainers.gpg' - as there is no Devuan file, no system keyrings are returned at all, just the user's keyring by default.
Currently I've just seen this affect apt-get source, but I have no idea if anything else relies on the appropriate 'vendor' file in '/usr/share/perl5/Dpkg/Vendor' - regardless, this is a security breach.
User workaround: Since we now know where this config is kept and therefore what keyrings to use, just call gpgv yourself in the right directory:
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg *.dsc
Note for random readers: Once the dsc has been checked out, make sure to hash the upstream and Debian tars and compare with the hashes reported in the dsc, otherwise no real checking has been done at all.
Devuan Ascii apt: 1.3.1 dpkg-dev 1.18.10 (provides dpkg-source)
Currently working out how to tag this with 'Package'...
Oh right - the instructions for how to report a bug with a non-devuan-forked package ask for the user to tag it :/
Probably the best solution here avoiding to fork dpkg source package is to create a simple package, something like libdpkg-perl-devuan depending from libdpkg-perl and then using it to put our own Devuan.pm file in /usr/share/perl5/Dpkg/Vendor
then, libdpkg-perl-devuan should be tagged as essential package and pushed in the base install
User workaround does not work for me (switching from Debian Jessie to Devuan): (I am sorry for error messages in Czech, but chyba p\xc5\x99i otv\xc3\xadr\xc3\xa1n\xc3\xad souboru: failed to open the file)
root@hankostroj:/etc/apt# gpgv --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg .dsc gpgv: zdroj bloku kl\xc3\xad\xc4\x8de
/usr/share/keyrings/debian-keyring.gpg': chyba p\xc5\x99i otv\xc3\xadr\xc3\xa1n\xc3\xad souboru gpgv: zdroj bloku kl\xc3\xad\xc4\x8de/usr/share/keyrings/debian-maintainers.gpg': chyba p\xc5\x99i otv\xc3\xadr\xc3\xa1n\xc3\xad souboru gpgv: nelze otev\xc5\x99\xc3\xadt ` .dsc' gpgv: verify signatures failed: chyba p\xc5\x99i otv\xc3\xadr\xc3\xa1n\xc3\xad souboru
The keyring is part of the debian-keyring package, is that installed?
I had debian-archive-keyring, not debian-keyring. I accepted install of non-signed packages (and got Devuan). After getting debian-keyring ( apt-get install debian-keyring from Devuan, and accepting non-signed package), the issue is still there: root@hankostroj:# gpgv --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg .dsc gpgv: nelze otev\xc5\x99\xc3\xadt ` .dsc' gpgv: verify signatures failed: chyba p\xc5\x99i otv\xc3\xadr\xc3\xa1n\xc3\xad souboru
I found no .dsc file in /usr/share/keyrings/
but now: root@hankostroj:# dpkg-query -l ' debian keyring*' Po\xc5\xbeadovan\xc3\xa9=Nezn\xc3\xa1m\xc3\xa9/Instalovat/Odinstalovat/Vy\xc4\x8distit/Podr\xc5\xbeet | Stav=Ne/Instalov\xc3\xa1n/Konfigura\xc4\x8dn\xc3\xad soubory/Rozbalen/Nezkonfigurov\xc3\xa1n/Nekompletn\xc3\xad | instalace/O\xc4\x8dek\xc3\xa1van\xc3\xa9 spou\xc5\xa1t\xc4\x9b\xc4\x8de/Nevy\xc5\x99\xc3\xadzen\xc3\xa9 spou\xc5\xa1t\xc4\x9b\xc4\x8de |/ Chyba?=(nic)/Nutn\xc3\xa1 p\xc5\x99einstalace (Stav,Chyba: velk\xc3\xa9 p\xc3\xadsmeno=chyba) ||/ N\xc3\xa1zev Verze Architektura Popis +++-========================-=================-=================-===================================================== ii debian-archive-keyring 2014.3 all GnuPG archive keys of the Debian archive ii debian-keyring 2015.04.10 all GnuPG keys of Debian Developers and Maintainers
I'm on ascii/equivalent of Testing, 'debian-keyring' is version 2016.09.04.
$ dpkg -L debian-keyring /. /usr /usr/share /usr/share/doc /usr/share/doc/debian-keyring /usr/share/doc/debian-keyring/NEWS.Debian.gz /usr/share/doc/debian-keyring/README.gz /usr/share/doc/debian-keyring/changelog.gz /usr/share/doc/debian-keyring/changelog.old.gz /usr/share/doc/debian-keyring/copyright /usr/share/keyrings /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg /usr/share/keyrings/debian-nonupload.gpg /usr/share/keyrings/debian-role-keys.gpg
I am sorry for the late response, this is not my primary machine. I am running Jessie here.
dpkg -L debian-keyring
/. /usr /usr/share /usr/share/doc /usr/share/doc/debian-keyring /usr/share/doc/debian-keyring/copyright /usr/share/doc/debian-keyring/changelog.old.gz /usr/share/doc/debian-keyring/changelog.gz /usr/share/doc/debian-keyring/README.gz /usr/share/doc/debian-keyring/NEWS.Debian.gz /usr/share/keyrings /usr/share/keyrings/debian-role-keys.gpg /usr/share/keyrings/debian-keyring.pgp /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg /usr/share/keyrings/debian-nonupload.gpg
No LSB modules are available. Distributor ID:\tDevuan Description:\tDevuan GNU/Linux 1.0 (jessie) Release:\t1.0 Codename:\tjessie
apt show debian-keyring
Package: debian-keyring Version: 2015.04.10 Installed-Size: 58,0 MB Maintainer: Debian Keyring Maintainers firstname.lastname@example.org Replaces: debian-maintainers Provides: debian-maintainers Recommends: gnupg (>= 1.0.6-4) Conflicts: debian-maintainers Homepage: http://keyring.debian.org/ Tag: role::app-data, security::authentication, suite::debian Section: misc Priority: optional Download-Size: 52,4 MB APT-Manual-Installed: yes APT-Sources: http://auto.mirror.devuan.org/merged/ jessie/main i386 Packages Description: GnuPG keys of Debian Developers and Maintainers
I have just updated the instructions for verification in my report as it obviously only checks the .dsc file, which is pointless if you don't then make sure the archive hashes are alright.