Bug#1043457: ftp.debian.org: buster-backports repository signed with bullseye + bookworm keys

Fri, 11 Aug 2023 06:57:20 -0700 

Package: ftp.debian.org
Severity: important

Hi,

the buster-backports repository seems to be signed only with
the bullseye + bookworm keys now:

| % wget --quiet 
http://deb.debian.org/debian/dists/buster-backports/Release{,.gpg}
| % gpg --verify Release.gpg Release 2>&1 | grep 'using RSA'
| gpg:                using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
| gpg:                using RSA key 4CB50190207B4758A3F73A796ED0E7B82643E131

STR:

| podman run --pull=always --rm -i -t debian:buster bash
| mv /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg 
/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg 
/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg .
| mv /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg 
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg 
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg .
| echo "deb http://deb.debian.org/debian buster-backports main" > 
/etc/apt/sources.list.d/backports.list
| apt update

This then reports:

| [...]
| Hit:1 http://deb.debian.org/debian buster InRelease
| Hit:2 http://deb.debian.org/debian-security buster/updates InRelease
| Hit:3 http://deb.debian.org/debian buster-updates InRelease
| Hit:4 http://deb.debian.org/debian buster-backports InRelease
| Err:4 http://deb.debian.org/debian buster-backports InRelease
|   The following signatures couldn't be verified because the public key is not 
available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| All packages are up to date.
| W: An error occurred during the signature verification. The repository is not 
updated and the previous index files will be used. GPG error: 
http://deb.debian.org/debian buster-backports InRelease: The following 
signatures couldn't be verified because the public key is not available: 
NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
| W: Failed to fetch 
http://deb.debian.org/debian/dists/buster-backports/InRelease  The following 
signatures couldn't be verified because the public key is not available: 
NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
| W: Some index files failed to download. They have been ignored, or old ones 
used instead.

regards
-mika-

Reply via email to