Opened 4 years ago

Closed 2 years ago

#17555 closed defect (fixed)

Uninstalling deb.torproject.org-keyring doesn't remove the key

Reported by: ageisp0lis Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords: debian
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I found this bug in the process of forking Tor's repository keyring package for a similar use case by one of the other projects I contribute to.

The prerm hooks in the source for the package don't actually remove the key, so if you uninstall deb.torproject.org-keyring, the signing key will still be trusted by the system, and not removed from /etc/apt/trusted.gpg.

The problem is in debian/prerm, line 8: the 'apt-key del' command does not work with a full fingerprint. It only work using an 8-character key ID (this behavior is totally wack, and I will be reporting it to the maintainers of apt and Debian).

'apt-key del', when provided with a full key fingerprint, still even outputs 'OK', which is also crazy. But if you run 'apt-key list' afterward you'll find that the key is indeed still there.

Until this issue is addressed upstream, you might want the prerm hook for this package to reference the short key ID instead.

https://gitweb.torproject.org/debian/torproject-keyring.git/tree/debian/prerm

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by ageisp0lis

There is already a Debian bug for this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754436

The issue was fixed in apt/1.1~exp4, which has not made it into a release yet.

comment:2 Changed 4 years ago by cypherpunks

Component: - Select a componentTor

I changed the component so this is back on the radar (maybe it's even fixed?).

However, i was unsure which component to file it under as there is a RPM packaging component but no DEB packaging component.

comment:3 Changed 4 years ago by nickm

Cc: weasel added

Adding weasel to cc; can you comment on status and (probably) close this one as a duplicate of the debian issue?

comment:4 Changed 3 years ago by nickm

Keywords: debian added

comment:5 Changed 3 years ago by nickm

Milestone: Tor: unspecified

comment:6 Changed 2 years ago by nickm

Milestone: Tor: unspecified
Resolution: fixed
Status: newclosed

I see above that it looks like this was indeed fixed in debian, but please reopen if not.

Note: See TracTickets for help on using tickets.