Hello everybody I would like to share my observations and ask you if there is something wrong about key used to sign the Buster Debian Archive, or if I missed something in all explanations I've read all around the Internet.
Let's do some commands (not optimized at all, those are for large explanation only) : $ mkdir tmp $ cd tmp $ mkdir buster $ mkdir stretch $ cd buster $ wget http://ftp.fr.debian.org/debian/dists/buster/Release $ wget http://ftp.fr.debian.org/debian/dists/buster/Release.gpg $ cd ../stretch $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release.gpg At this point, we have both Buster and Stretch "Release" file, and the associated GPG signature. While we are in stretch folder, let's do GPG verification : $ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg Release.gpg Release gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST gpgv: avec la clef RSA 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 gpgv: Bonne signature de « Debian Archive Automatic Signing Key (8/jessie) <[email protected]> » gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST gpgv: avec la clef RSA 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Bonne signature de « Debian Archive Automatic Signing Key (9/stretch) <[email protected]> » gpgv: Signature faite le sam. 18 juil. 2020 12:56:21 CEST gpgv: avec la clef RSA 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 gpgv: issuer "[email protected]" gpgv: Bonne signature de « Debian Stable Release Key (9/stretch) <[email protected]> » All is OK. 3 public keys are used : Jessie Automatic, Stretch Automatic and Stretch Stable. All seems good. But, if I do the same with Buster, it fails ! $ cd ../buster $ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg Release.gpg Release gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST gpgv: avec la clef RSA 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Bonne signature de « Debian Archive Automatic Signing Key (9/stretch) <[email protected]> » gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST gpgv: avec la clef RSA 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 gpgv: Bonne signature de « Debian Archive Automatic Signing Key (10/buster) <[email protected]> » gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST gpgv: avec la clef RSA 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 gpgv: issuer "[email protected]" gpgv: Impossible de vérifier la signature : Pas de clef publique The last key seems wrong. We have good signature for Stretch Automatic and Buster Automatic but not for Buster Stable. A quick look shows up that the missing key is in fact Stretch Stable, according to fingerprint. Success if I change command line with correct keyring. $ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg Release.gpg Release gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST gpgv: avec la clef RSA 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Bonne signature de « Debian Archive Automatic Signing Key (9/stretch) <[email protected]> » gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST gpgv: avec la clef RSA 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 gpgv: Bonne signature de « Debian Archive Automatic Signing Key (10/buster) <[email protected]> » gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST gpgv: avec la clef RSA 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 gpgv: issuer "[email protected]" gpgv: Bonne signature de « Debian Stable Release Key (9/stretch) <[email protected]> » So my question is really simple : is it correct to sign Buster Archive "Release" file with Stretch Stable key ? In my opinion, it should be done with Buster Stable key. But, as I said at first, I may miss something. Anyway, thanks a lot for your great job ! Regards
