Opened 7 years ago

Closed 7 years ago

Last modified 5 months ago

#5787 closed defect (invalid)

deb.torproject.org-keyring.gpg name is broken for debian gnupg

Reported by: unknown Owned by: phobos
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

After install
pool/main/d/deb.torproject.org-keyring/deb.torproject.org-keyring_2012.02.17_all.deb
and add following line to ~/.gnupg/gpg.conf:

keyring /usr/share/keyrings/deb.torproject.org-keyring.gpg

I've got error after any gpg operation, gpg --list-keys for example:

gpg: [don't know]: invalid packet (ctb=2d)

gpg: keydb_search_next failed: invalid packet

Any other keyrings included in gpg.conf works fine.

The problem can be easy solved with strings like this:

keyring /usr/share/keyrings/deb\.torproject\.org-keyring.gpg

Keyring file for Debian-Squeeze must be renamed to one dot at the end of name format and repacked to new .deb. Or this notice should be placed in the https://www.torproject.org/docs/debian-vidalia.html.en

Gnupg v.1 used in Squeeze for apt packaging:

gpg --version
gpg (GnuPG) 1.4.10

Child Tickets

Change History (11)

comment:1 Changed 7 years ago by phobos

The keyring is designed to be used with apt-key, not gpg per se.

comment:2 Changed 7 years ago by unknown

Nothing wrong with this. I propose just changing filename like for any other keyring in /usr/share/keyrings. The are only in *.gpg format without additional dots:

debian-archive-keyring.gpg
debian-edu-archive-keyring.gpg
debian-keyring.gpg
debian-maintainers.gpg
debian-nonupload.gpg
debian-ports-archive-keyring-removed.gpg
debian-ports-archive-keyring.gpg
debian-role-keys.gpg
emdebian-archive-keyring.gpg

comment:3 Changed 7 years ago by unknown

The keyring is designed to be used with apt-key, not gpg per se.

Checking TBB archive currently not packaged in .deb is another option and one time this package was signed not with Erinn key and from another developers.

comment:4 Changed 7 years ago by unknown

I check signatures verification for TBB again. Keyring renaming or dots backslashing not solving the problem. Will be better to change format of the keyring to use not only with apt-key.

comment:5 Changed 7 years ago by phobos

Component: WebsiteTor bundles/installation

comment:6 Changed 7 years ago by arma

Cc: weasel added

weasel, do you have an opinion on this one? Apparently the keyring in our deb is formed differently than the keyring for other debs?

comment:7 Changed 7 years ago by weasel

As Andrews has said, the purpose of this keyring is for apt verifying our debian repository. It won't help for verifying TBBs. I see no need to change anything here.

comment:8 Changed 7 years ago by unknown

I can confirm that the problem is still exist.

the purpose of this keyring is for apt verifying our debian repository. It won't help for verifying TBBs

I understand your position. Is it fundamentally hard to improve a usability of the keyring? I can use any other keyring as first "bridge of trust" from my Debian system core key to additional packages and to they developers from any projects without any problem. Like to see this possibility for Torproject keyring too. This is desirable for Linux users to get correct trusted copy of TBB at first time (from mirrors or torrents, for examle) in the case of blocked/censored Torproject.org resource.

comment:9 in reply to:  8 Changed 7 years ago by weasel

Replying to unknown:

I understand your position. Is it fundamentally hard to improve a usability of the keyring? I can use any other keyring as first "bridge of trust" from my Debian system core key to additional packages and to they developers.

You can't use it because the keyring doesn't have the keys you would need for that.

comment:10 Changed 7 years ago by unknown

After temporarily removing pubring.gpg and include any keyring to gpg.conf, gpg --list-keys shows me the content of included keyrings with developers keys for any project. See http://deb-multimedia.org for example.

After including deb.torproject.org-keyring.gpg it display me only an errors and makes gpg unusable.

What is the reason to compose torproject-keyring in that strange and unconventional way?

comment:11 Changed 7 years ago by weasel

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.