On Wed, Jun 10, 2009 at 10:41:18AM +0200, Philipp Kern scribbled thusly: > On Tue, Jun 09, 2009 at 04:01:17PM -0400, Ivan Jager wrote: > > It appears that > > http://ftp.debian.org/debian/dists/lenny/Release.gpg is only > > being signed with the new key, not the old, so it is not trusted. > > > > Lenny security updates are being signed with both keys, but there > > does not seem to be a newer version of debian-archive-keyring > > there, so I'm not sure what the trust path from the old key the > > new is supposed to be. From the announcement, it sounded like the > > Release file was supposed to be signed with both keys, but it > > isn't. > > > > I initially tried the Monday after the announcement, and thought > > it would most likely get fixed after a few days, but still no > > luck. > > > > For reference, on lenny an apt-get update ends with the following > > error: > > W: There is no public key available for the following key IDs: > > 9AA38DCD55BE302B > > W: GPG error: http://ftp.us.debian.org lenny Release: The following > > signatures couldn't be verified because the public key is not available: > > NO_PUBKEY 9AA38DCD55BE302B > > W: You may want to run apt-get update to correct these problems
FWI, if I only have security.d.o in sources.list I only get the first and last warning, and it doesn't warn about unverified packages when installing. With ftp.us.d.o I also get the second warning and later it does complain when I try to install packages. > > Of course if you then try to install the new > > debian-archive-keyring it gives you a big warning that it is > > untrusted. > > Actually it shouldn't. It's true that apt warns about a new signature > that cannot be verified, but that shouldn't cause apt to think that the > repository is untrusted, because there is still at least one trusted > signature on it (the offline release key). Ok, something funny is definitely going on. Running gpg on security.debian.org_dists_lenny_updates_Release.gpg shows both signatures, whereas running gpg on ftp.us.debian.org_debian_dists_lenny_Release.gpg warns that "gpg: WARNING: multiple signatures detected. Only the first will be checked." and of course that happens to be the 55BE302B signature. Anyways, I worked around the problem on that machine by copying the keys from a squeeze box that I trust (which is why I have a *_lenny_Release.gpg file now), but I can still reproduce the problem on an etch machine, which I will most likely upgrade after this is solved. For reference, here is the output of GPG: On lenny (with the keys copied from squeeze): kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg security.debian.org_dists_lenny_updates_Release.gpg Detached signature. Please enter name of data file: No such file, try again or hit enter to quit. Please enter name of data file: security.debian.org_dists_lenny_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using RSA key ID 55BE302B gpg: Good signature from "Debian Archive Automatic Signing Key (5.0/lenny) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using DSA key ID 6070D3A1 gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1 kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg ftp.us.debian.org_debian_dists_lenny_Release.gpg gpg: WARNING: multiple signatures detected. Only the first will be checked. Detached signature. Please enter name of data file: ftp.us.debian.org_debian_dists_lenny_Release gpg: Signature made Sat 23 May 2009 01:31:55 PM EDT using RSA key ID 55BE302B gpg: Good signature from "Debian Archive Automatic Signing Key (5.0/lenny) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B And on etch without the new keys installed: explorer:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg Detached signature. Please enter name of data file: security.debian.org_dists_etch_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using RSA key ID 55BE302B gpg: Can't check signature: public key not found gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using DSA key ID 6070D3A1 gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1 explorer:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg ~/Release.gpg gpg: WARNING: multiple signatures detected. Only the first will be checked. Detached signature. Please enter name of data file: ftp.us.debian.org_debian_dists_etch_Release gpg: Signature made Sat 23 May 2009 01:28:27 PM EDT using RSA key ID 55BE302B gpg: Can't check signature: public key not found (Note that ~/Release.gpg was downloaded manually because apt-get wouldn't keep the .gpg file it couldn't verify.) My best guess is that the ftp.d.o Release.gpg files are being created in a different way than the security.d.o ones, but I don't know nearly enough about gpg to hazard a guess as to how. Thanks for CCing me as I'm not on the list. Ivan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
