[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Checking Release.gpg

On Mon, 12 Jan 2004, Adrian 'Dagurashibanipal' von Bidder wrote:

>
> Yo!
>
> Apparently there are some Release files only signed with the old Release
> key (38C6029A):
>
> My keyring is
> =====
> $ gpg --no-default-keyring --keyring trustedkeys.gpg --list-key
> /home/avbidder/.gnupg/trustedkeys.gpg
> -------------------------------------
> pub  1024D/38C6029A 2002-12-20 Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>
I did:

~> gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyring.debian.org --recv-keys 38C6029A
gpg: key 38C6029A: "Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

> pub  1024D/30B34DD5 2003-12-03 Debian Archive Automatic Signing Key (2003 v2) <ftpmaster@debian.org>

and

~> gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyring.debian.org --recv-keys 30B34DD5
gpg: key 30B34DD5: "Debian Archive Automatic Signing Key (2003 v2) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

as well as I imported the ziyi_key_2002.asc from the docs which leads to:

~> gpg --no-default-keyring --keyring trustedkeys.gpg --list-key | grep ftpmaster
pub  1024D/30B34DD5 2003-12-03 Debian Archive Automatic Signing Key (2003 v2) <ftpmaster@debian.org>
pub  1024D/38C6029A 2002-12-20 Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>
pub  1024D/722F1AED 2002-01-11 Debian Archive

so this all should be fine.

I do a private mirror from the mirror next to me (debian.tu-bs.de) on an
internal server sars.rki.ivbb.bund.de.

Then I get:

Source: deb http://sars.rki.ivbb.bund.de/debian/ testing main non-free contrib
  o Origin: Debian/Debian
  o Suite: testing/sarge
  o Date: Sun, 11 Jan 2004 20:54:59 UTC
  o Description: Debian Testing distribution - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: 2DB1C72530B34DD5
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)
  * PROBLEMS WITH contrib (NOCHECK, NOCHECK)

Source: deb http://sars.rki.ivbb.bund.de/debian/non-US testing/non-US main non-free
  o Origin: Debian/Debian
  o Suite: testing/sarge
  o Date: Thu, 20 Nov 2003 19:52:24 UTC
  o Description: Debian Testing distribution - Not Released
  * COULDN'T CHECK SIGNATURE BY KEYID: B629A24C38C6029A
  * NO VALID SIGNATURE
  * PROBLEMS WITH main (NOCHECK, NOCHECK)
  * PROBLEMS WITH non-free (NOCHECK, NOCHECK)

As you can see, both od the used keys are in my trustedkeys, but it fails ... :-(

> The contents of the following files in /var/lib/apt/lists does not
> match what was expected. This may mean these sources are out of date,
> that the archive is having problems, or that someone is actively using
> your mirror to distribute trojans.
>
>     security.debian.org_dists_stable_updates_main_binary-i386_Packages
> =====
>
> which is what I should except according to the Manual.
Yes, for sure, this is normal as well as for my other inofficial apt-sources.
But these two I mentioned should work

Kind regards

        Andreas.
Reply to: