[tor-bugs] #17555 [- Select a component]: Uninstalling deb.torproject.org-keyring doesn't remove the key
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Nov 8 02:49:43 UTC 2015
#17555: Uninstalling deb.torproject.org-keyring doesn't remove the key
--------------------------------------+-----------------
Reporter: ageisp0lis | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
--------------------------------------+-----------------
I found this bug in the process of forking Tor's repository keyring
package for a similar use case by one of the other projects I contribute
to.
The prerm hooks in the source for the package don't actually remove the
key, so if you uninstall deb.torproject.org-keyring, the signing key will
still be trusted by the system, and not removed from /etc/apt/trusted.gpg.
The problem is in debian/prerm, line 8: the 'apt-key del' command does not
work with a full fingerprint. It only work using an 8-character key ID
(this behavior is totally wack, and I will be reporting it to the
maintainers of apt and Debian).
'apt-key del', when provided with a full key fingerprint, still even
outputs 'OK', which is also crazy. But if you run 'apt-key list' afterward
you'll find that the key is indeed still there.
Until this issue is addressed upstream, you might want the prerm hook for
this package to reference the short key ID instead.
https://gitweb.torproject.org/debian/torproject-
keyring.git/tree/debian/prerm
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17555>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list