Package: debmirror
Version: 20070123
Severity: minor
Tags: patch
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch
The documentation about key-checking is misleading. gpgv uses a
separate keyring, so it should be documented in the POD. Attached patch
is a possible solution...
Thanks!
-Kees
--
Kees Cook @outflux.net
diff -Nru /tmp/qAhS0YybqF/debmirror-20070123/debmirror /tmp/PgPdR3J9S3/debmirror-20070123ubuntu1/debmirror
--- /tmp/qAhS0YybqF/debmirror-20070123/debmirror 2007-01-24 02:42:14.000000000 -0800
+++ /tmp/PgPdR3J9S3/debmirror-20070123ubuntu1/debmirror 2007-11-12 14:21:04.000000000 -0800
@@ -347,11 +347,12 @@
debian keyring (in case of the debian archive) using:
gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export \
- | gpg --import
+ | gpg --no-default-keyring --keyring trustedkeys.gpg --import
or download the key from a keyserver:
- gpg --keyserver keyring.debian.org --recv-keys <key ID>
+ gpg --no-default-keyring --keyring trustedkeys.gpg \
+ --keyserver keyring.debian.org --recv-keys <key ID>
The <key ID> can be found in the gpgv error message in debmirror:
gpgv: Signature made Tue Jan 23 09:07:53 2007 CET using DSA key ID 2D230C5F
