Control: reassign -1 gpgv On Tue, Aug 06, 2019 at 02:22:00PM -0400, timeless wrote: > Package: apt > Version: 1.8.2 > Tags: minor > > I had manually used > ``` > apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 96B3EE5F29111145 > || curl " > https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x96B3EE5F29111145" | > apt-key add - > ``` > > (For reference, the equivalent content is available from: > https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/9885e188a10e30088813c32270f05f7583875619/so-setup-network.sh#L638-L689 > ) > which adds a key to `/etc/apt/trusted.gpg` -- I did this a while ago. > > The key I had for this has expired: > > ``` > apt-get update > ... > Err:11 https://packages.wazuh.com/3.x/apt stable InRelease > The following signatures were invalid: EXPKEYSIG 96B3EE5F29111145 > Wazuh.com (Wazuh Signing Key) <[email protected]> > ``` > > ** It would have been somewhat helpful if the message said "expired" > instead of "invalid". > > I went and checked (or could have checked): > ``` > apt-key list > /etc/apt/trusted.gpg > -------------------- > ... > pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ expired] Wazuh.com (Wazuh Signing Key) <[email protected]> > ... > ``` > > I ran: > ``` > curl https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo tee > /etc/apt/trusted.gpg.d/wazuh.asc > apt-get update > ``` > > And I still got a complaint about EXPKEYSIG for 96B3EE5F29111145 > > ``` > apt-key list > /etc/apt/trusted.gpg > -------------------- > ... > pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ expired] Wazuh.com (Wazuh Signing Key) <[email protected]> > ... > > /etc/apt/trusted.gpg.d/wazuh.asc > -------------------------------- > pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ unknown] Wazuh.com (Wazuh Signing Key) <[email protected]> > sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] > ``` > > Expected results: > If a key exists twice, once w/ an old expiry, and once w/ a newer expiry, > accept the newer expiry. > Alternatively, if a key exists twice, w/ different expiries and apt really > doesn't want to deal w/ it, it should explain about the mismatch (apt-key > list didn't complain that I had two keys for the same key w/ different > expiration dates).
apt has no knowledge about your available keys - all key files (or specified ones) are concatenated and passed as a keyring to gpgv. gpgv then tells us which keys signed data and if they are valid. > > For reference, I can trigger it w/ deterministic file names like: > ``` > apt-key list > /etc/apt/trusted.gpg > -------------------- > pub rsa4096 2017-05-20 [SC] [expires: 2025-05-18] > 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500 > uid [ unknown] Debian Stable Release Key (9/stretch) < > [email protected]> > > /etc/apt/trusted.gpg.d/000-wazuh-expired.asc > -------------------------------------------- > pub rsa4096 2016-08-01 [SC] [expired: 2019-08-01] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ expired] Wazuh.com (Wazuh Signing Key) <[email protected]> > > pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ unknown] Wazuh.com (Wazuh Signing Key) <[email protected]> > sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] > > /etc/apt/trusted.gpg.d/001-wazuh-updated.asc > -------------------------------------------- > pub rsa4096 2016-08-01 [SC] [expires: 2027-05-15] > 0DCF CA55 47B1 9D2A 6099 5060 96B3 EE5F 2911 1145 > uid [ unknown] Wazuh.com (Wazuh Signing Key) <[email protected]> > sub rsa4096 2016-08-01 [E] [expires: 2027-05-15] > ``` > > Note: it's possible to use `apt-key del 96B3EE5F29111145`, but this > unfortunately also deleted my updated key, which was slightly frustrating. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en

