X2Go Bug report logs - #1401
Update GPG key bootstrapping instructions for Debian

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: "Daniel Ullrich" <store@posteo.de>

Date: Sat, 24 Aug 2019 02:40:02 UTC

Severity: normal

Done: Mihai Moldovan <ionic@ionic.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#1401 closed by Mihai Moldovan <ionic@ionic.de> (Re: Bug#1401:
 PGP-Key is not available on keyservers for debian buster)
Message-ID: <handler.1401.b1401.15683101145693.notifdone@bugs.x2go.org>
References: <fdea0ea1-26f8-1492-a305-90f8230bad07@ionic.de>
X-X2go-PR-Message: they-closed 1401
X-X2go-PR-Package: packages.x2go.org
Date: Thu, 12 Sep 2019 17:45:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1568310302-6601-0"

[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the packages.x2go.org package:

#1401: Update GPG key bootstrapping instructions for Debian

It has been closed by Mihai Moldovan <ionic@ionic.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mihai Moldovan <ionic@ionic.de> by
replying to this email.


-- 
1401: bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1401
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems

[Message part 2 (message/rfc822, inline)]
From: Mihai Moldovan <ionic@ionic.de>
To: 1401@bugs.x2go.org
Subject: Re: Bug#1401: PGP-Key is not available on keyservers for debian buster
Date: Thu, 12 Sep 2019 19:40:40 +0200
[Message part 3 (text/plain, inline)]
Control: reassign wiki.x2go.org
Control: retitle -1 Update GPG key bootstrapping instructions for Debian
Control: close -1


* On 8/24/19 7:06 PM, Mihai Moldovan wrote:
> Control: reassign -1 packages.x2go.org
> 
> 
>> N: An update from such a repository cannot be done in a secure way, so
>> it is disabled by default.
> 
> The x2go-keyring package is available for Debian buster, includes the required
> key file and should work just fine.
> 
> However, newer apt versions will disallow downloading from an untrusted repository.
> 
> In order to actually install the keyring package, try running something like:
> sudo apt-get --allow-unauthenticated install x2go-keyring
> 
> Afterwards, sudo apt update should not return an error again. Do not use the
> --allow-unauthenticated flag without understanding its implications.

That wasn't correct - at least not completely. --allow-unauthenticated should
work for package installations, but not for downloading repository metadata.

To allow apt to work with unauthenticated repository metadata, users would need
to use something like:
apt-get update --allow-insecure-repositories

This said: this is totally risky, now and later. Installing packages from an
unauthenticated repository doesn't give apt any chance to check the origin. A
successful Man-in-the-Middle attack is very likely in such a scenario. Worse,
even after the initial bootstrap, all subsequent operations and packages from
such a repository could still be malicious.


I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with
this information, big fat warning signs and explanations.

**Users should always bootstrap with the currently valid GPG key and then
install the x2go-keyring package from the validated X2Go repository location!**


Closing up here.



Mihai


[signature.asc (application/pgp-signature, attachment)]
[Message part 5 (message/rfc822, inline)]
From: "Daniel Ullrich" <store@posteo.de>
To: submit@bugs.x2go.org
Subject: PGP-Key is not available on keyservers for debian buster
Date: Sat, 24 Aug 2019 02:36:24 +0000
[Message part 6 (text/plain, inline)]
Package: complete x2go repo
version: none

sudo apt update
The following signatures could not be verified because their public key 
is not available: NO_PUBKEY E1F958385BFE2B6E
W: GPG error: http://packages.x2go.org/debian buster InRelease: The 
following signatures could not be verified because their public key is 
not available: NO_PUBKEY E1F958385BFE2B6E
E: The depot "http://packages.x2go.org/debian buster InRelease" is not 
signed.
N: An update from such a repository cannot be done in a secure way, so 
it is disabled by default.
N: See the apt-secure(8) manual page for more details on package vault 
creation and user configuration.

sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys 
--keyserver keys.gnupg.net E1F958385BFE2B6E
gpg: Received from key server failed: The waiting time for the 
connection has expired.

x2go-keyring package is not available for debian buster => would solve 
this issue!
[Message part 7 (text/html, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Apr 18 20:33:56 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.