Kernel Source package signature signed with unknown key 0x92D284CF33C66596

5 risposte [Ultimo contenuto]
jah
jah
Offline
Iscritto: 05/04/2015

Two things I don't understand:-

1) Why does apt-get source fetch a different source package to the one named in the arg?
2) Why can't key 0x92D284CF33C66596 be found?

$ apt-get source linux-image-3.13.0-76-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
Picking 'linux' as source package instead of 'linux-image-3.13.0-76-generic'
...
Need to get 124 MB of source archives.
Get:1 http://es.archive.trisquel.info/trisquel/ belenos-updates/main linux 3.13.0-77.121+7.0trisquel2 (dsc) [7,481 B]
Get:2 http://es.archive.trisquel.info/trisquel/ belenos-updates/main linux 3.13.0-77.121+7.0trisquel2 (tar) [124 MB]
Fetched 124 MB in 2min 3s (1,008 kB/s)
gpgv: Signature made Tue 02 Feb 2016 00:43:48 GMT using RSA key ID 33C66596
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux_3.13.0-77.121+7.0trisquel2.dsc
dpkg-source: info: extracting linux in linux-3.13.0
dpkg-source: info: unpacking linux_3.13.0-77.121+7.0trisquel2.tar.gz

$ gpg2 --verify linux_3.13.0-77.121+7.0trisquel2.dsc
gpg: Signature made Tue 02 Feb 2016 00:43:48 GMT
gpg: using RSA key 0x92D284CF33C66596
gpg: Can't check signature: No public key

$ torsocks gpg2 --keyserver jirk5u4osbsr34t5.onion --recv-keys 0x92D284CF33C66596
gpg: requesting key 0x92D284CF33C66596 from hkp server jirk5u4osbsr34t5.onion
gpgkeys: key 92D284CF33C66596 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

jxself
Offline
Iscritto: 09/13/2010

1) Why does apt-get source fetch a different source package to the one named in the arg?

Because the name of the source package is usually not the name of the binary package. And one source package could result in many binary packages. For example, when searching for packages on http://packages.trisquel.info/ this is why you have the option to search for "source package names."

Or why, when viewing a binary package, there is a link to the (differently named) source package. For example: Notice how http://packages.trisquel.info/belenos/emacs has a link called: [ Source: emacs-defaults ] in the upper left.

So when you use apt-get source you should be plugging in the name of the source package but it seems smart enough to figure out the proper thing when you don't. :)

jah
jah
Offline
Iscritto: 05/04/2015

Thanks @jxself, good explanation.

Is there a standard procedure for reporting the fact that the package downloaded by `apt-get source linux` (linux_3.13.0-77.121+7.0trisquel2) is signed with a key (0x92D284CF33C66596) for which no public cert appears to be available?

jah
jah
Offline
Iscritto: 05/04/2015

Two things I don't understand:-

1) Why does apt-get source fetch a different source package to the one named
in the arg?
2) Why can't key 0x92D284CF33C66596 be found?

$ apt-get source linux-image-3.13.0-76-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
Picking 'linux' as source package instead of 'linux-image-3.13.0-76-generic'
...
Need to get 124 MB of source archives.
Get:1 http://es.archive.trisquel.info/trisquel/ belenos-updates/main linux
3.13.0-77.121+7.0trisquel2 (dsc) [7,481 B]
Get:2 http://es.archive.trisquel.info/trisquel/ belenos-updates/main linux
3.13.0-77.121+7.0trisquel2 (tar) [124 MB]
Fetched 124 MB in 2min 3s (1,008 kB/s)
gpgv: Signature made Tue 02 Feb 2016 00:43:48 GMT using RSA key ID 33C66596
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./linux_3.13.0-77.121+7.0trisquel2.dsc
dpkg-source: info: extracting linux in linux-3.13.0
dpkg-source: info: unpacking linux_3.13.0-77.121+7.0trisquel2.tar.gz

$ gpg2 --verify linux_3.13.0-77.121+7.0trisquel2.dsc
gpg: Signature made Tue 02 Feb 2016 00:43:48 GMT
gpg: using RSA key 0x92D284CF33C66596
gpg: Can't check signature: No public key

$ torsocks gpg2 --keyserver jirk5u4osbsr34t5.onion --recv-keys
0x92D284CF33C66596
gpg: requesting key 0x92D284CF33C66596 from hkp server jirk5u4osbsr34t5.onion
gpgkeys: key 92D284CF33C66596 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

jxself
Offline
Iscritto: 09/13/2010

1) Why does apt-get source fetch a different source package to the one named
in the arg?

Because the name of the source package is usually not the name of the binary
package. And one source package could result in many binary packages. For
example, when searching for packages on http://packages.trisquel.info/ this
is why you have the option to search for "source package names."

Or why, when viewing a binary package, there is a link to the (differently
named) source package. For example: Notice how
http://packages.trisquel.info/belenos/emacs has a link called: [ Source:
emacs-defaults ] in the upper left.

So when you use apt-get source you should be plugging in the name of the
source package but it seems smart enough to figure out the proper thing when
you don't. :)

jah
jah
Offline
Iscritto: 05/04/2015

Thanks @jxself, good explanation.

Is there a standard procedure for reporting the fact that the package
downloaded by `apt-get source linux` (linux_3.13.0-77.121+7.0trisquel2) is
signed with a key (0x92D284CF33C66596) for which no public cert appears to be
available?