Package: debmirror Version: 20060907.1 Severity: normal debmirror uses a different method to validate the signatures on Release files than do apt, network-retreiver, etc. debmirror's method fails if the Release file is signed by any one unknown key, even if it has other valid sigs from known keys, as happened recently. The correct method does not have this problem, and works as follows:
gpgv --no-tty --status-fd 1 Release.gpg Release | read_gpg_status
Where a shell version of read_gpg_status is this:
read_gpg_status() {
while read prefix keyword rest; do
[ "$prefix" = '[GNUPG:]' ] || continue
if [ "$keyword" = VALIDSIG ]; then
exit 0
fi
done
exit 1
}
Any single valid signature is enough.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages debmirror depends on:
ii bzip2 1.0.3-6 high-quality block-sorting file co
ii libcompress-zlib-perl 1.42-1 Perl module for creation and manip
ii libdigest-sha1-perl 2.11-1 NIST SHA-1 message digest algorith
ii liblockfile-simple-perl 0.2.5-7 Simple advisory file locking
ii libwww-perl 5.805-1 WWW client/server library for Perl
ii perl [libdigest-md5-perl] 5.8.8-6.1 Larry Wall's Practical Extraction
ii perl-modules [libnet-perl] 5.8.8-6.1 Core Perl modules
ii rsync 2.6.9-2 fast remote file copy program (lik
Versions of packages debmirror recommends:
ii gnupg 1.4.5-2 GNU privacy guard - a free PGP rep
ii patch 2.5.9-4 Apply a diff file to an original
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
