Debian

apt 或 apttitude 或 apt-get 何時開始支持最後兩個版本以用於遷移目的

  • April 28, 2019

我今天在玩我的 Debian 安裝,發現了一件有趣的事情。如果我這樣做

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
     12D4 CD60 0C22 40A9 F4A8  2071 D7B0 B669 41D0 1538
uid           [ unknown] riot.im packages <packages@riot.im>
sub   rsa3072 2019-04-15 [S] [expires: 2021-04-14]

pub   rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
     AAF9 AE84 3A75 84B5 A3E4  CD2B CF45 A512 DE2D A058
uid           [ unknown] matrix.org packages <packages@matrix.org>
sub   rsa3072 2019-04-15 [S] [expires: 2021-04-14]

pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
     E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
     D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
     80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
     5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
     6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

當我使用 debian-buster 時,我很好奇為什麼它有 jessie 和拉伸鍵。在上面這些是兩個鍵 -

pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
     E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
     D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

我刪除了使用 -

$ sudo apt-key del E1CF20DDFFE4B89E802658F1E0B11894F66AEC98

也 -

$ sudo apt-key del D21169141CECD440F2EB8DDA9D6D8F6BC857C906

當兩個鍵都被刪除時,我得到了 pub keys 錯誤

$ sudo apt update
Hit:1 http://cdn-fastly.deb.debian.org/debian buster InRelease                                               
Err:1 http://cdn-fastly.deb.debian.org/debian buster InRelease                           
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Hit:2 http://cdn-fastly.deb.debian.org/debian-security buster/updates InRelease         
Err:2 http://cdn-fastly.deb.debian.org/debian-security buster/updates InRelease         
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY AA8E81B4331F7F50
Hit:3 http://cdn-fastly.deb.debian.org/debian unstable InRelease                         
Err:3 http://cdn-fastly.deb.debian.org/debian unstable InRelease                         
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Hit:4 http://cdn-fastly.deb.debian.org/debian experimental InRelease                     
Err:4 http://cdn-fastly.deb.debian.org/debian experimental InRelease                     
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Hit:5 http://debug.mirrors.debian.org/debian-debug buster-debug InRelease
Err:5 http://debug.mirrors.debian.org/debian-debug buster-debug InRelease
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Hit:6 http://debug.mirrors.debian.org/debian-debug unstable-debug InRelease
Hit:7 http://debug.mirrors.debian.org/debian-debug experimental-debug InRelease
Err:6 http://debug.mirrors.debian.org/debian-debug unstable-debug InRelease
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Err:7 http://debug.mirrors.debian.org/debian-debug experimental-debug InRelease
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
Hit:8 https://packages.riot.im/debian buster InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://cdn-fastly.deb.debian.org/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://cdn-fastly.deb.debian.org/debian-security buster/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY AA8E81B4331F7F50
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://cdn-fastly.deb.debian.org/debian unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://cdn-fastly.deb.debian.org/debian experimental InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debug.mirrors.debian.org/debian-debug buster-debug InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debug.mirrors.debian.org/debian-debug unstable-debug InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debug.mirrors.debian.org/debian-debug experimental-debug InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://cdn-fastly.deb.debian.org/debian/dists/buster/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://cdn-fastly.deb.debian.org/debian-security/dists/buster/updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY AA8E81B4331F7F50
W: Failed to fetch http://cdn-fastly.deb.debian.org/debian/dists/unstable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://cdn-fastly.deb.debian.org/debian/dists/experimental/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://debug.mirrors.debian.org/debian-debug/dists/buster-debug/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://debug.mirrors.debian.org/debian-debug/dists/unstable-debug/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: Failed to fetch http://debug.mirrors.debian.org/debian-debug/dists/experimental-debug/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453E

我的 /etc/apt/sources.list 是 -

$ cat /etc/apt/sources.list

                              #### Debian buster #########
       deb http://cdn-fastly.deb.debian.org/debian/ buster main contrib non-free
   deb-src http://cdn-fastly.deb.debian.org/debian buster main contrib non-free
       deb http://cdn-fastly.deb.debian.org/debian-security buster/updates main
   deb-src http://cdn-fastly.deb.debian.org/debian-security buster/updates main


                             #### Debian unstable #########
       deb http://cdn-fastly.deb.debian.org/debian unstable main contrib non-free
   deb-src http://cdn-fastly.deb.debian.org/debian unstable main contrib non-free


                          #### Debian experimental #########
      deb http://cdn-fastly.deb.debian.org/debian experimental main contrib
  deb-src http://cdn-fastly.deb.debian.org/debian experimental main contrib

                        ##### Debian Debug packages #######
      deb http://debug.mirrors.debian.org/debian-debug/ buster-debug main
      deb http://debug.mirrors.debian.org/debian-debug/ unstable-debug main
      deb http://debug.mirrors.debian.org/debian-debug/ experimental-debug main


                   ######## Third party repos #######
     deb https://riot.im/packages/debian/ buster main

並且不得不使用 gpg 導入它們(我知道它不安全但必須這樣做-)

# gpg --recv-keys AA8E81B4331F7F50
gpg: key EDA0D2388AE22BA9: 11 signatures not checked due to missing keys
gpg: key EDA0D2388AE22BA9: public key "Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

進而 -

# gpg --export AA8E81B4331F7F50 | apt-key add
OK

我很想知道 apt 什麼時候開始支持舊版本的簽名以及最新的密鑰?它是最近的現像還是真正古老的現象?我的意思是它是在 Etch (4.0) 還是更高版本中完成的?

更新 - 它從 Strech Install 開始,即 9,現在有了 buster。

至於另一個問題, /etc/apt/trusted.gpg.d/ 有 -

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
     80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
     5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
     6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

ftp-master 每個版本的簽名在ftp-master.debian.org中有描述:

哪個版本應該用哪個密鑰簽名?

穩定版本由發佈時使用的 ftp-master 自動存檔簽名密鑰和每個版本的穩定密鑰簽名。其他版本(提議更新、測試、測試提議更新、不穩定和實驗)的發布文件僅由 ftp-master 自動密鑰簽名。

安全存檔僅由 ftp-master 密鑰簽名。

目前的程序是每個版本都有一個 ftp 主密鑰(以前的程序每年引入一個新密鑰)。

至於 archive.org 可以追溯到(2009 年),情況就是如此,包括etch版本

目前的程序是每個版本都有一個 ftp 主密鑰(以前的程序每年引入一個新密鑰)。

存檔密鑰

主動簽名密鑰

目前的 (2007/etch) 密鑰可以在這裡下載

它似乎與創建etchdebian-archive-keyring包有關,其中包括您刪除的文件,這取決於etchapt

apt (0.6.46.2) unstable; urgency=low

* debian/control:

- depend on debian-archive-keyring to offer clean upgrade path

(closes:#386800)

$$ … $$

引用自:https://unix.stackexchange.com/questions/515937

相關問答

Debian

Super Cow Powers 背後的故事是什麼?

  • March 22, 2019
檢視問答
Debian

我無法安裝軟體包,因為它要求的依賴版本高於可用版本

  • October 18, 2022
檢視問答
Debian

為什麼使用“apt upgrade”時沒有安裝 Debian 安全更新?(需要用“-t stable-security”強制)

  • October 14, 2022
檢視問答
Debian

不願意升級我的包

  • August 25, 2022
檢視問答
Debian

無法刪除舊核心映像以釋放磁碟空間以解決“linux-image-…但未安裝”/“寫入失敗(設備上沒有剩餘空間)”

  • August 11, 2022
檢視問答
Debian

擺脫“以下軟體包將被降級”

  • June 28, 2022
檢視問答