Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-23 Thread Javier Fernández-Sanguino Peña
On Wed, Nov 22, 2006 at 07:22:35AM +0100, Andreas Tille wrote: > But Hendrik Sattler is perfectly right and this knowledge has to be stored > at prominant places like: > >a) installation manual >b) apt-key.8 >c) perhaps somewhere else It is already at the "Securing Debian Manual", see

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread David Weinehall
gs A70DAF536070D3A1 instead. > > Very useful: > > ([EMAIL PROTECTED])~$gpg --check-sigs A70DAF536070D3A1 > pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01] > uid Debian Archive Automatic Signing Key (4.0/etch) <[EMAIL > PROTECTED]> > sig!3

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Bartosz Fenski aka fEnIo
11-20 [expires: 2009-07-01] uid Debian Archive Automatic Signing Key (4.0/etch) <[EMAIL PROTECTED]> sig!36070D3A1 2006-11-20 Debian Archive Automatic Signing Key (4.0/etch) <[EMAIL PROTECTED]> 2 signatures not checked due to missing keys ([EMAIL PROTECTED])~$ Lo

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Bartosz Fenski aka fEnIo
On Wed, Nov 22, 2006 at 12:09:58PM +0100, Hendrik Sattler wrote: > Noone answered, yet, why this key is not in debian-archive-keyring package. > I thought that the whole idea was to make it available before it gets used. > That would be the easiest (install it at installation time) and > "apt-key

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread A Mennucc
Julien Cristau ha scritto: > On Wed, Nov 22, 2006 at 14:53:38 +0100, A Mennucc wrote: > >> that package is only 2 days old and did not transition to etch yet >> >> so it is too early to start signing etch archives with it >> >> and it empties the whole idea : to restore my trust path , I >> w

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Julien Cristau
On Wed, Nov 22, 2006 at 14:53:38 +0100, A Mennucc wrote: > that package is only 2 days old and did not transition to etch yet > > so it is too early to start signing etch archives with it > > and it empties the whole idea : to restore my trust path , I > will have to manually download that

just wait more next time, Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread A Mennucc
actually, there is no need for tons of documentation: the usage of the package debian-archive-keyring should really automate the whole thing, as long as it is done correctly: 1) release team generates new key and new package debian-archive-keyring 2) users install it : in postinst, /usr/bin/apt-

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread A Mennucc
Luca Capello ha scritto: > Hello! > > On Wed, 22 Nov 2006 12:09:58 +0100, Hendrik Sattler wrote: >> Noone answered, yet, why this key is not in debian-archive-keyring >> package. > > It's there since the last update: > = > debian-archive-keyring (2006.11.22) unstable; urgency=low > > * Non

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Joey Hess
Hamish Moffatt wrote: > But you need to be able to validate that package in some fashion too. In this case it's validated using the other signature on the packages file, which is made with a key that apt already knows about. -- see shy jo signature.asc Description: Digital signature

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread A Mennucc
Martin Zobel-Helas ha scritto: > > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | > apt-key add -) > $ gpg --recv-keys A70DAF536070D3A1 gpg: requesting key 6070D3A1 from hkp server keyring.debian.org gpgkeys: key A70DAF536070D3A1 not found on keyserver gpg: no valid Open

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Paul Cager
> On Tue, 21 Nov 2006, Kurt Roeckx wrote: > But Hendrik Sattler is perfectly right and this knowledge has to be stored > at prominant places like: > > a) installation manual > b) apt-key.8 > c) perhaps somewhere else Should the apt-get warning message be changed to refer to apt-key.8?

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Luca Capello
Hello! On Wed, 22 Nov 2006 12:09:58 +0100, Hendrik Sattler wrote: > Noone answered, yet, why this key is not in debian-archive-keyring > package. It's there since the last update: = debian-archive-keyring (2006.11.22) unstable; urgency=low * Non-maintainer upload. * Add Etch release key

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Hendrik Sattler
Am Mittwoch 22 November 2006 11:05 schrieb Hamish Moffatt: > On Wed, Nov 22, 2006 at 09:48:46AM +0100, Hendrik Sattler wrote: > > Or even better: > > # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs > > A70DAF536070D3A1 > > > > I just assume that receiving the keys via the debian

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Frans Pop
On Wednesday 22 November 2006 07:22, Andreas Tille wrote: > But Hendrik Sattler is perfectly right and this knowledge has to be > stored at prominant places like: > > a) installation manual > b) apt-key.8 > c) perhaps somewhere else > > Could maintainers of a) and b) (and perhaps c) ;-)

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Hamish Moffatt
On Wed, Nov 22, 2006 at 09:48:46AM +0100, Hendrik Sattler wrote: > Or even better: > # gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs > A70DAF536070D3A1 > > I just assume that receiving the keys via the debian-keyring package ist more > trustworthy than via a random public ser

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-22 Thread Hendrik Sattler
--check-sigs A70DAF536070D3A1 pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01] uid Debian Archive Automatic Signing Key (4.0/etch) <[EMAIL PROTECTED]> sig!36070D3A1 2006-11-20 Debian Archive Automatic Signing Key (4.0/etch) <[EMAIL PROTECTED]> 2 signatures not checked due

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-21 Thread Andreas Tille
On Tue, 21 Nov 2006, Kurt Roeckx wrote: On Tue, Nov 21, 2006 at 04:50:29PM -0600, Peter Samuelson wrote: [Martin Zobel-Helas] gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | apt-key add -) Uh, don't forget the part about verifying that the key is actually signed by

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-21 Thread Martin Zobel-Helas
On Tue Nov 21, 2006 at 21:23:48 +0100, Hendrik Sattler wrote: > Hi, > > I tried to "apt-get update" from a testing mirro today but apt told me? > W: There are no public key available for the following key IDs: > A70DAF536070D3A1 > > OK, maybe a new key, let's look at debian-archive-keyring: > gpg

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-21 Thread Kurt Roeckx
On Tue, Nov 21, 2006 at 04:50:29PM -0600, Peter Samuelson wrote: > > [Martin Zobel-Helas] > > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | > > apt-key add -) > > Uh, don't forget the part about verifying that the key is actually > signed by the ftpmasters. Skipping th

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-21 Thread Hendrik Sattler
Am Dienstag 21 November 2006 21:48 schrieb Martin Zobel-Helas: > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | > apt-key add -) Please put that in the apt-key manpage (maybe even the long version to use debian-archive-keyring exclusively). But that was only the secondar

Re: Debian Archive Automatic Signing Key (4.0/etch)?

2006-11-21 Thread Peter Samuelson
[Martin Zobel-Helas] > gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | > apt-key add -) Uh, don't forget the part about verifying that the key is actually signed by the ftpmasters. Skipping that step pretty much defeats the entire point. gpg --list-sigs A70DAF536070D3