Andrew
In fact, the date you are pointing out does not matter, because it is
filesystem metadata.
On my computer, jessie and stretch are older, probably the date when I
reinstalled my computer. Have a look:
ls -l /etc/apt/trusted.gpg.d/
total 60
-rw-r--r-- 1 root root 8132 avril 23 2019
debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 avril 23 2019
debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 avril 23 2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 sept. 3 2017
debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 sept. 3 2017
debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 sept. 3 2017 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7443 sept. 3 2017
debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7452 sept. 3 2017
debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 sept. 3 2017 debian-archive-stretch-stable.gpg
My question is not about local GPG files and the verifying process, but
about the signing process of archive metadata files on server side,
through an example ("Release" file).
You said "The release has to be signed by matching keys", OK, they
match... the old stable, and not the stable one! I agree, needed keys
are present and APT works well.
This seems not to be a significant problem, but I wonder if there is a
problem (more a configuration mistake) in keys used to sign Buster
archive metadata.
Still here are my question!
Regards
Le 03/08/2020 à 19:26, Andrew Cater a écrit :
> The release has to be signed by matching keys or apt and aptitude will
> fail with warning messages every time you install a package.
>
> /etc/apt/trusted.gpg here contains, for example - the output of ls -al
>
> total 68
> drwxr-xr-x 2 root root 4096 Jun 6 17:35 .
> drwxr-xr-x 7 root root 4096 Jun 6 17:45 ..
> -rw-r--r-- 1 root root 8132 Apr 23 2019
> debian-archive-buster-automatic.gpg
> -rw-r--r-- 1 root root 8141 Apr 23 2019
> debian-archive-buster-security-automatic.gpg
> -rw-r--r-- 1 root root 2332 Apr 23 2019 debian-archive-buster-stable.gpg
> -rw-r--r-- 1 root root 5106 Apr 23 2019
> debian-archive-jessie-automatic.gpg
> -rw-r--r-- 1 root root 5115 Apr 23 2019
> debian-archive-jessie-security-automatic.gpg
> -rw-r--r-- 1 root root 2763 Apr 23 2019 debian-archive-jessie-stable.gpg
> -rw-r--r-- 1 root root 7443 Apr 23 2019
> debian-archive-stretch-automatic.gpg
> -rw-r--r-- 1 root root 7452 Apr 23 2019
> debian-archive-stretch-security-automatic.gpg
> -rw-r--r-- 1 root root 2263 Apr 23 2019 debian-archive-stretch-stable.gpg
>
> All keys from the same date.
>
>
>
>
>
> On Mon, Aug 3, 2020 at 4:24 PM F!nTcH <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello everybody
>
> I would like to share my observations and ask you if there is
> something
> wrong about key used to sign the Buster Debian Archive, or if I missed
> something in all explanations I've read all around the Internet.
>
> Let's do some commands (not optimized at all, those are for large
> explanation only) :
>
> $ mkdir tmp
> $ cd tmp
> $ mkdir buster
> $ mkdir stretch
> $ cd buster
> $ wget http://ftp.fr.debian.org/debian/dists/buster/Release
> $ wget http://ftp.fr.debian.org/debian/dists/buster/Release.gpg
> $ cd ../stretch
> $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release
> $ wget http://ftp.fr.debian.org/debian/dists/stretch/Release.gpg
>
> At this point, we have both Buster and Stretch "Release" file, and the
> associated GPG signature.
>
> While we are in stretch folder, let's do GPG verification :
>
> $ gpgv --keyring
> /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
> /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring
> /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg Release.gpg
> Release
> gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
> gpgv: avec la clef RSA
> 126C0D24BD8A2942CC7DF8AC7638D0442B90D010
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (8/jessie) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
> gpgv: avec la clef RSA
> 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (9/stretch) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 18 juil. 2020 12:56:21 CEST
> gpgv: avec la clef RSA
> 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
> gpgv: issuer "[email protected]
> <mailto:[email protected]>"
> gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
> <[email protected]
> <mailto:[email protected]>> »
>
> All is OK. 3 public keys are used : Jessie Automatic, Stretch
> Automatic
> and Stretch Stable. All seems good.
>
> But, if I do the same with Buster, it fails !
>
> $ cd ../buster
> $ gpgv --keyring
> /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
> --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
> --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
> Release.gpg Release
> gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
> gpgv: avec la clef RSA
> 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (9/stretch) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
> gpgv: avec la clef RSA
> 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (10/buster) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
> gpgv: avec la clef RSA
> 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
> gpgv: issuer "[email protected]
> <mailto:[email protected]>"
> gpgv: Impossible de vérifier la signature : Pas de clef publique
>
> The last key seems wrong. We have good signature for Stretch Automatic
> and Buster Automatic but not for Buster Stable. A quick look shows up
> that the missing key is in fact Stretch Stable, according to
> fingerprint.
>
> Success if I change command line with correct keyring.
>
> $ gpgv --keyring
> /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
> /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring
> /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
> Release.gpg
> Release
> gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
> gpgv: avec la clef RSA
> 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (9/stretch) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
> gpgv: avec la clef RSA
> 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
> gpgv: Bonne signature de « Debian Archive Automatic Signing Key
> (10/buster) <[email protected] <mailto:[email protected]>> »
> gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
> gpgv: avec la clef RSA
> 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
> gpgv: issuer "[email protected]
> <mailto:[email protected]>"
> gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
> <[email protected]
> <mailto:[email protected]>> »
>
> So my question is really simple : is it correct to sign Buster Archive
> "Release" file with Stretch Stable key ? In my opinion, it should be
> done with Buster Stable key.
>
> But, as I said at first, I may miss something.
>
> Anyway, thanks a lot for your great job !
>
> Regards
>
