Debootstrap error release file signed by unknown key

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: debootstrap
Version: 1.0.44

Running debootstrap on Gentoo (where the latest version available is
1.0.44) via 'lxc-create' (to generate an LXC guest environment) I
receive the unhelpful error:

 E: Release signed by unknown key (key id 64481591B98321F9)

I believe that this is possibly/probably because the key validity has
expired, and the Gentoo package's included keyring is no longer fresh.
That's fine and a reported bug at
https://bugs.gentoo.org/show_bug.cgi?id=387565

The issue I am reporting here is that *the error itself is not very
helpful*, specifically at identifying the keyring that requires
maintenance.

Given that:
 (a) There are multiple potential keyring paths acknowledged within
the debootstrap source
 (b) This tool is largely useful on other distributions that, like
gentoo, may understandable modify the keyring path
 (c) This tool is often going to be executed deep within automated
processes (eg. for continuous integration / automated testing, etc.)

It makes sense to extend the output of the error to something more
verbose that includes the keyring path and saves people wasted time
digging.

Two pieces of information should ideally be made available:
 1. The path to the keyring itself
 2. A debian (security/release team?) URL that may be used in third
party distro scripts to validate/update the current/expected signing
key IDs (I suppose, on a per-release basis), which as far as I can
tell does not presently exist in a simple list/automateable fashion
(though data is available in a not-well-documented form @
'active-keys/' in the tarball at
http://packages.debian.org/source/squeeze/debian-archive-keyring). For
the moment the URL could be
http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s7.5.3.6
... to allow users to resolve the issue without relying on (probably
out of date) third-party distros' packages.  That URL should probably
be updated with a more useful line for people without debian (and
therefore apt-key installed), like:

  gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --keyserver
pgpkeys.mit.edu --recv-key 64481591B98321F9
 (Acknowledgement: command line built from post @
https://groups.google.com/forum/?fromgroups=#!topic/linux.debian.bugs.dist/tKv7EYb1HkE
)

 3. In addition, that URL's year-based-path solution appears no longer
valid (at least for 2013).

For reference purposes, the MD5 checksum of my
Gentoo-debootstrap-package-installed keyring prior to manual addition
of the key in question was d091e2e61800b3e5d65f956e05a42f36

PS. Apologies for the verbosity and not splitting the bugs (re: points
2 and 3 above) -- I am not normally a Debian/Ubuntu user and don't
have enough familiarity with project structure to do this efficiently.
Hopefully someone can deal with this on my behalf.

Message #8 received at 698677-submitter@bugs.debian.org (full text, mbox, reply):

control: tags -1 +patch

Hi,

On Tue, 22 Jan 2013 13:00:02 +0800 Walter <walter.stanish@gmail.com> wrote:
> It makes sense to extend the output of the error to something more
> verbose that includes the keyring path and saves people wasted time
> digging.

 Okay, how about below error message?

$ sudo debootstrap --keyring /usr/share/keyrings/notfound.gpg sid sid 
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id 7638D0442B90D010)
   Maybe specified keyring /usr/share/keyrings/notfound.gpg is wrong or outdated, please check it
   You can find latest Debian release key at https://ftp-master.debian.org/keys.html


 Patch is below.

> diff --git a/functions b/functions
> index b780488..69ad423 100644
> --- a/functions
> +++ b/functions
> @@ -1494,7 +1494,7 @@ read_gpg_status () {
>         elif [ "$badsig" ]; then
>                 error 1 BADRELSIG "Invalid Release signature (key id %s)" "$badsig"
>         elif [ "$unkkey" ]; then
> -               error 1 UNKNOWNRELSIG "Release signed by unknown key (key id %s)" "$unkkey"
> +               error 1 UNKNOWNRELSIG "Release signed by unknown key (key id %s)n   Maybe specified keyring $KEYRING is wrong or outdated, please check itn   You can find latest Debian release key at https://ftp-master.debian.org/keys.html" "$unkkey"
>         else
>                 error 1 SIGCHECK "Error executing gpgv to check Release signature"
>         fi

 # However, it doesn't treat derivative distros like Ubuntu
   as limitation.

Message #15 received at 698677-quiet@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

It looks like a reasonable fix, however I would improve the English as
follows.

"The specified keyring $KEYRING may be incorrect or out of date."

and

"You can find the latest Debian release key at ..."

Thanks,
Walter

On 19 March 2018 at 21:15, Hideki Yamane <henrich@iijmio-mail.jp> wrote:

> control: tags -1 +patch
>
> Hi,
>
> On Tue, 22 Jan 2013 13:00:02 +0800 Walter <walter.stanish@gmail.com>
> wrote:
> > It makes sense to extend the output of the error to something more
> > verbose that includes the keyring path and saves people wasted time
> > digging.
>
>  Okay, how about below error message?
>
> $ sudo debootstrap --keyring /usr/share/keyrings/notfound.gpg sid sid
> I: Retrieving InRelease
> I: Checking Release signature
> E: Release signed by unknown key (key id 7638D0442B90D010)
>    Maybe specified keyring /usr/share/keyrings/notfound.gpg is wrong or
> outdated, please check it
>    You can find latest Debian release key at
> https://ftp-master.debian.org/keys.html
>
>
>  Patch is below.
>
> > diff --git a/functions b/functions
> > index b780488..69ad423 100644
> > --- a/functions
> > +++ b/functions
> > @@ -1494,7 +1494,7 @@ read_gpg_status () {
> >         elif [ "$badsig" ]; then
> >                 error 1 BADRELSIG "Invalid Release signature (key id
> %s)" "$badsig"
> >         elif [ "$unkkey" ]; then
> > -               error 1 UNKNOWNRELSIG "Release signed by unknown key
> (key id %s)" "$unkkey"
> > +               error 1 UNKNOWNRELSIG "Release signed by unknown key
> (key id %s)n   Maybe specified keyring $KEYRING is wrong or outdated,
> please check itn   You can find latest Debian release key at
> https://ftp-master.debian.org/keys.html" "$unkkey"
> >         else
> >                 error 1 SIGCHECK "Error executing gpgv to check Release
> signature"
> >         fi
>
>  # However, it doesn't treat derivative distros like Ubuntu
>    as limitation.
>

[Message part 2 (text/html, inline)]

Message #21 received at 698677-submitter@bugs.debian.org (full text, mbox, reply):

On Tue, 20 Mar 2018 07:33:24 +0800
Walter <walter.stanish@gmail.com> wrote:
> It looks like a reasonable fix, however I would improve the English as
> follows.
> 
> "The specified keyring $KEYRING may be incorrect or out of date."
> 
> and
> 
> "You can find the latest Debian release key at ..."

 Thanks! I'll update it with your suggestion :)


-- 
Regards,

 Hideki Yamane     henrich @ debian.org/iijmio-mail.jp

Message #28 received at 698677-close@bugs.debian.org (full text, mbox, reply):

Source: debootstrap
Source-Version: 1.0.97

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698677@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Apr 2018 11:06:32 +0900
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.97
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description:
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 698677 826709 844118 866401 872059 872577 872948 890419 893954 895466
Changes:
 debootstrap (1.0.97) unstable; urgency=medium
 .
   [ Dan Nicholson ]
   * Handle existing /dev (Closes: #872577)
 .
   [ Hideki Yamane ]
   * Create /dev/console as same as previous (Closes: #872059)
   * Do not ignore HTTPS mirror setting (Closes: #893954)
   * Improve manpage "what is calls a Debian base system" (Closes: #872948)
     Thanks to Emmanuel Kasper <manu@debian.org> for the patch
   * Improve error message when download fails (Closes: #866401)
     Thanks to Raphaël Hertzog <hertzog@debian.org> for the patch
   * Use wget --non-verbose option instead of --quiet
   * Improve error message on Release signed by unknown key (Closes: #698677)
   * Add --cache-dir feature (Closes: #844118)
     It is enabled by default and use /var/cache/apt/archives as default value
 .
   [ Adam Borowski ]
   * Use arch-test if installed to check whether second stage is possible.
     (Closes: #826709)
 .
   [ Lubomir Rintel ]
   * Fix boostrapping libvirt LXC containers (Closes: #890419)
 .
   [ Raphaël Hertzog ]
   * Use "command -v apt-config" to check for apt-config's presence
     (Closes: #895466)
   * Drop default value for --cache-dir parameter
   * Forbid the usage of non-empty directories with --print-debs and
     --make-tarball
   * Do not use HTTPS for Kali bootstrap script
Checksums-Sha1:
 dec58e328c8ca5a62ed929cba1323a21d053c960 1991 debootstrap_1.0.97.dsc
 ff4d6b40efebbbf14c33445419e8e264cf4c04c8 71121 debootstrap_1.0.97.tar.gz
 c2d21436e905fc28eb141fd25542c1d1d748f003 20556 debootstrap-udeb_1.0.97_all.udeb
 5eba09250171942f0b7483759285c85c24e82e74 69060 debootstrap_1.0.97_all.deb
 5cf71f8a36c995632a5d7ae31320941c907b56fa 5766 debootstrap_1.0.97_amd64.buildinfo
Checksums-Sha256:
 9b0dc362f97976833c1f148d00933c85a0095525885ad1a6845e81671d4aabdd 1991 debootstrap_1.0.97.dsc
 d3e6bef403dbabade11d098214030d5063c6b238d3751b159f727af7556c5cf0 71121 debootstrap_1.0.97.tar.gz
 b4f377d7e40b5128271dca859d924e79c36fc7d1c86408f91a474ad2c669f6e9 20556 debootstrap-udeb_1.0.97_all.udeb
 0177ffecea5cc1a42084ae02a44d8e902a086577cefc00194b983fd7f3d802a7 69060 debootstrap_1.0.97_all.deb
 c9d57dd2f298f41fd5d56badca0d88898b8797e7b5755db1b62e7b14cf99af02 5766 debootstrap_1.0.97_amd64.buildinfo
Files:
 355d536a46a764b9f798e977ffdf0acf 1991 admin optional debootstrap_1.0.97.dsc
 856379c44f4cec4be4071a91e061aafd 71121 admin optional debootstrap_1.0.97.tar.gz
 11ae2cd66f0ec42d94edda0a876fcb5a 20556 debian-installer optional debootstrap-udeb_1.0.97_all.udeb
 e1844d1cfb966c00101048bb9285f002 69060 admin optional debootstrap_1.0.97_all.deb
 e1d959b6ca11fbca1d18a15bb9403248 5766 admin optional debootstrap_1.0.97_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAlrVWFQTHGhlbnJpY2hA
ZGViaWFuLm9yZwAKCRBdMo0IKqqxQC1GD/9n8XmploJvPpi6CI0uFgBAwAHXOHZN
VRfdq/LmZBisF1Dw3cg1sPTy3JltrjCQjeVXOdPC5syz0ap5mJVKi6CdO8Yo+21+
dKqvb9WZOCJjQFVRoS7l/Vzto1wXwI80ylH5CNCNOmJnw7WLiKZZ8cKN+mh3CA4S
6iXZymu6Wz7BRaQa2LWVrpq/ygJpmqyt/tdzsFh5s621vEcsTUnxEokHoW9abzVF
FzWt9Dc8Ipn5iv+HeMdsQctwcWIbytfcchHLPlajeVP7alD7vFvQxan7jEFON4Tn
RRzkCfl7UKZHMHwrxYhchGYFg/c9qGM4sNu4wi6Aqo7KfogGhM/yXiSAcm4x6KZh
/nZ88IvuxRbqm7SfUOaw0eTby4d5L01PkMUopwFTLgg1YkaPe3eJhYnmzMHE1yEC
pIo0cwZHB64I5UwK4/1EtG4sy27M4dSVyuHXAMMUKv39AxUiZShAM6kttmGzoDUc
8opGN6Ip1RiX62SExZFEQQUMoA0ByR96U8vZUFAcwHEPyI+iW4nnFkNEhasWtDBY
u9EbhGNmVKUGbywoyuF//FYyrXPF2LuCNHIA/0zwhjd5U8Jytx+U+gfOa8DC6k5O
tpej8BjuI+Ob/8Kr0+dg6uJ0MnU/7gtHjJCMQ+GMwRr8mPT2tsa+rftTOVVShQym
czgQ2K/mIbhlFw==
=caYw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.