On Sun, Feb 15, 2009 at 11:38:45 -0600, Kent West wrote: > Florian Kulzer wrote: > > On Sun, Feb 15, 2009 at 08:47:06 -0600, Kent West wrote:
[...] > >> wes...@]goshen]:/home/westk:> sudo apt-get update > >> Password: > >> > > > > [...] > > > > > >> W: There is no public key available for the following key IDs: > >> 4D270D06F42584E6 > >> W: You may want to run apt-get update to correct these problems > >> > > > > Check the version of your debian-archive-keyring package; the newest one > > (2009.01.31) has this key: [...] > On my etch box, this package was not installed. So I installed it (and > most all, if not all, of Gnome was removed as part of the process > (?!!)). I cannot see how the debian-archive-keyring would trigger the removal of Gnome packages, therefore I would guess that this is the symptom of an unrelated problem. What happens if you try to install Gnome again (assuming that you want it back)? > Now I have this version: > > Sun Feb 15 11:35:06 > ------------- > wes...@]goshen]:/home/westk:> sudo aptitude show debian-archive-keyring > Unable to find an archive "stable" for the package "debian-archive-keyring" > Package: debian-archive-keyring > State: installed > Automatically installed: no > Version: 2007.07.31~etch1 [...] > And if I enable Lenny in my sources.list and do another update, I still > have the same problem. > > So it seems to me that there's no ("normal, everyday-user") way to > validate that the Lenny packages are valid without first installing a > Lenny package which you can't be sure is valid. > > Am I missing something? The Release files have two signatures at the moment to facilitate the transition: $ gpg -vv --list-only /var/lib/apt/lists/*_stable_Release.gpg 2>&1 | grep signature :signature packet: algo 17, keyid A70DAF536070D3A1 :signature packet: algo 17, keyid 4D270D06F42584E6 Your apt keyring should contain A70DAF536070D3A1 ("Debian Archive Automatic Signing Key (4.0/etch)") as a trusted key, so apt(itude) should be able to verify one of the signatures. That is good enough because you are trusting the Etch key already anyway. As long as apt(itude) does not complain that a package is "untrusted" you can be sure that there is at least one trusted signature vouching for it. (This assumes that you did not change the default configuration regarding verification of package integrity.) The post-installation script of the new version of debian-archive-keyring will add the Lenny key to apt's keyring automatically so that you are ready for the future. (The Etch key expires on 2009-07-01.) -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org