The release has to be signed by matching keys or apt and aptitude will fail with warning messages every time you install a package.
/etc/apt/trusted.gpg here contains, for example - the output of ls -al total 68 drwxr-xr-x 2 root root 4096 Jun 6 17:35 . drwxr-xr-x 7 root root 4096 Jun 6 17:45 .. -rw-r--r-- 1 root root 8132 Apr 23 2019 debian-archive-buster-automatic.gpg -rw-r--r-- 1 root root 8141 Apr 23 2019 debian-archive-buster-security-automatic.gpg -rw-r--r-- 1 root root 2332 Apr 23 2019 debian-archive-buster-stable.gpg -rw-r--r-- 1 root root 5106 Apr 23 2019 debian-archive-jessie-automatic.gpg -rw-r--r-- 1 root root 5115 Apr 23 2019 debian-archive-jessie-security-automatic.gpg -rw-r--r-- 1 root root 2763 Apr 23 2019 debian-archive-jessie-stable.gpg -rw-r--r-- 1 root root 7443 Apr 23 2019 debian-archive-stretch-automatic.gpg -rw-r--r-- 1 root root 7452 Apr 23 2019 debian-archive-stretch-security-automatic.gpg -rw-r--r-- 1 root root 2263 Apr 23 2019 debian-archive-stretch-stable.gpg All keys from the same date. On Mon, Aug 3, 2020 at 4:24 PM F!nTcH <[email protected]> wrote: > Hello everybody > > I would like to share my observations and ask you if there is something > wrong about key used to sign the Buster Debian Archive, or if I missed > something in all explanations I've read all around the Internet. > > Let's do some commands (not optimized at all, those are for large > explanation only) : > > $ mkdir tmp > $ cd tmp > $ mkdir buster > $ mkdir stretch > $ cd buster > $ wget http://ftp.fr.debian.org/debian/dists/buster/Release > $ wget http://ftp.fr.debian.org/debian/dists/buster/Release.gpg > $ cd ../stretch > $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release > $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release.gpg > > At this point, we have both Buster and Stretch "Release" file, and the > associated GPG signature. > > While we are in stretch folder, let's do GPG verification : > > $ gpgv --keyring > /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring > /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring > /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg Release.gpg > Release > gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST > gpgv: avec la clef RSA > 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (8/jessie) <[email protected]> » > gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST > gpgv: avec la clef RSA > 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (9/stretch) <[email protected]> » > gpgv: Signature faite le sam. 18 juil. 2020 12:56:21 CEST > gpgv: avec la clef RSA > 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 > gpgv: issuer "[email protected]" > gpgv: Bonne signature de « Debian Stable Release Key (9/stretch) > <[email protected]> » > > All is OK. 3 public keys are used : Jessie Automatic, Stretch Automatic > and Stretch Stable. All seems good. > > But, if I do the same with Buster, it fails ! > > $ cd ../buster > $ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg > --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg > --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg > Release.gpg Release > gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST > gpgv: avec la clef RSA > 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (9/stretch) <[email protected]> » > gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST > gpgv: avec la clef RSA > 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (10/buster) <[email protected]> » > gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST > gpgv: avec la clef RSA > 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 > gpgv: issuer "[email protected]" > gpgv: Impossible de vérifier la signature : Pas de clef publique > > The last key seems wrong. We have good signature for Stretch Automatic > and Buster Automatic but not for Buster Stable. A quick look shows up > that the missing key is in fact Stretch Stable, according to fingerprint. > > Success if I change command line with correct keyring. > > $ gpgv --keyring > /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring > /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring > /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg Release.gpg > Release > gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST > gpgv: avec la clef RSA > 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (9/stretch) <[email protected]> » > gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST > gpgv: avec la clef RSA > 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 > gpgv: Bonne signature de « Debian Archive Automatic Signing Key > (10/buster) <[email protected]> » > gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST > gpgv: avec la clef RSA > 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 > gpgv: issuer "[email protected]" > gpgv: Bonne signature de « Debian Stable Release Key (9/stretch) > <[email protected]> » > > So my question is really simple : is it correct to sign Buster Archive > "Release" file with Stretch Stable key ? In my opinion, it should be > done with Buster Stable key. > > But, as I said at first, I may miss something. > > Anyway, thanks a lot for your great job ! > > Regards > >
