[SOLVED] Keys in '/etc/apt/trusted.gpg' ignored by APT

[Gaius]

Hey all,

I have installed Debian 9.1 (amd64) with KDE 5.8.6 from CD yesterday.

Since then, I have installed the following software from the Debian repositories:
Firefox ESR 52.3.0 & Adblock Plus 2.7.3+dfsg-1
Thunderbird 52.2.1 & Lightning 5.4.2.1
VLC Media Player 2.2.6 Umbrella
aptitude
Software Properties GTK (uninstalled again)

In addition I have installed 2 Appearance add-ons from Mozilla:
Dark Fox (using Firefox for the install)
TT DeepDark (using Thunderbird for the install)

My /etc/apt/sources.list originally looked like this:

Code: Select all

# deb cdrom:[Debian GNU/Linux 9.1.0 _Stretch_ - Official amd64 xfce-CD Binary-1 20170722-11:29]/ stretch main

deb http://ftp.de.debian.org/debian/ stretch main
deb-src http://ftp.de.debian.org/debian/ stretch main

deb http://ftp.de.debian.org/debian/ stretch-updates main
deb-src http://ftp.de.debian.org/debian/ stretch-updates main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main

deb http://ftp.de.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch main contrib non-free

deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free

deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free

When trying to update the system using Apper, I got this Warning:

I aborted the update and edited my sources.list, eliminating the entries containing 'contrib non-free'.
Accordingly, my etc/apt/sources.list is now

Code: Select all

# deb cdrom:[Debian GNU/Linux 9.1.0 _Stretch_ - Official amd64 xfce-CD Binary-1 20170722-11:29]/ stretch main

deb http://ftp.de.debian.org/debian/ stretch main
deb-src http://ftp.de.debian.org/debian/ stretch main

deb http://ftp.de.debian.org/debian/ stretch-updates main
deb-src http://ftp.de.debian.org/debian/ stretch-updates main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main

However, when running the update again, using Apper, the same warning popped up.

Again I cancelled the update ... wondering how packages from the Debian servers (and only 'main' packages at that) could be unsigned and possibly harmful.

Unfortunately I have not been able to find a solution perusing the Debian Wiki and searching with Google. Neither have I seen a thread in this forum which dealt with the problem.

What have I missed, or what am I doing wrongly?
Or should I simply ignore the warning and proceed with the update? (That doesn't sound like such a good idea.)

Cheers,
Gaius

[stevepusser]

Do you get the same warning on the command line?

Code: Select all

# apt update

[Gaius]

No, I don't.
But ... here is what I get from # apt update:

Code: Select all

root@PalaCon:/home/gaius# apt update
Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
Ign:2 http://ftp.de.debian.org/debian stretch InRelease
Hit:3 http://ftp.de.debian.org/debian stretch-updates InRelease
Hit:4 http://ftp.de.debian.org/debian stretch Release
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: http://security.debian.org/debian-security/dists/stretch/updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://ftp.de.debian.org/debian/dists/stretch-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://ftp.de.debian.org/debian/dists/stretch/Release.gpg: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.

apt update says all packages are up to date, Apper starts downloading a bunch of files, then gives the Warning message.

[stevepusser]

It's got to be related to those messages about the keyring file not being readable by user "_apt". My usual method of trying to solve a problem like this on my own is to search the Web for that error message and see what comes up, because I really can't say what is causing your particular problem.

Edit: like here: http://forums.debian.net/viewtopic.php?f=5&t=130558

[Gaius]

Okay, I've used the procedure described in the thread you linked to:

Code: Select all

# cp /etc/apt/trusted.gpg /home/gaius/trusted.gpg.temp

then

Code: Select all

# rm /etc/apt/trusted.gpg

As described in the other thread,

Code: Select all

# apt-key update

doesn't work, as it is deprecated and a no-op.

However, I could update using both Apper and the CLI without any Error messages or Warnings.

I then

Code: Select all

# cp /home/gaius/trusted.gpg.temp /etc/apt/trusted.gpg

so that I'd have my archive keys again.

Another run of Apper and

Code: Select all

# apt update

now generated the same Warnings/Errors as before.

So now I have updated my system but I'm still left with the problem of non-working archive keys.
I've spent an hour or so googling and looking at various Debian Wiki articles regarding archive keys, but I have no idea how I can download them and then incorporate them into my system.
They can be downloaded here, but I have yet to figure out how, and then how to get them into /etc/apt/trusted.gpg.

Does someone know how to do that?

Alternatively it seems to be possible to restore them from the apt automatic backup with

Code: Select all

# cp /etc/apt/trusted.gpg{~,}

... unless that is deprecated as well.
I don't want to try it blindly, without first having received some advice from people with more experience.
In any case ... wouldn't the backed-up keys be corrupted, too?

Edit:
Having read the third post of this thread gave me the idea of editing my source.list to only permit the CD I used to install Stretch as a repository and then uninstall and reinstall the package 'debian-archive-keyring'.
Does that seem like a feasible idea?

[stevepusser]

The Debian repo keys are in the debian-archive-keyring package, and you should already have it installed. I'd just leave that trusted.gpg fle deleted if everything else works without it being there. Perhaps some other program created it without giving it the right permissions.

[Gaius]

That is precisely what has been advised in the other thread.

Since this installation of Stretch is for testing purposes only (I installed it behind Windows 10 on a PC I no longer use to reacquaint myself with Linux again and to find out whether there are going to be any problems with dual-booting Windows) before I actually install it on the new PC, to work with it, I tend to agree.

On the other hand, it means I will access the repositories without authentication ...
...and it is an unsolved problem.

I usually research, test, and fiddle with those things until I have resolved them, I don't like open ends.

In addition, if I can find a solution, it will help others who encounter the same problem later.

I will try different methods, and if I manage to fix it, I will have the satisfaction of being able to rename this thread [SOLVED].

[stevepusser]

If you didn't have any archive keys, apt update would throw a lot of errors. You're good.

[Gaius]

Yeah, I read up some more, and realized I had made a fundamental mistake:
The keys for the Debian repositories are kept at /etc/apt/trusted.gpg.d/ ... this folder contains encrypted key files for Wheezy, Jessie and Stretch.

/etc/apt/trusted.gpg only contains additional keys from third parties, which a user trusts.
Since I exclusively install from Debian repositories, I have no need for this file.

I guess I would have realized earlier that apt and aptitude would never have executed updates without valid keys, if I hadn't sat at my desk, staring at the screen, for the past 18 hours, lol.

So this whole 'problem' can be solved by simply deleting /etc/apt/trusted.gpg ... at least for those users who solely install from Debian repositories.
Although I still wonder why apt and Apper would complain about faulty/missing keys to repositories which aren't even selected as sources.

Oh well ... thread solved, time for a snack.
Have a good weekend, everyone.

Cheers,
Gaius