Re: Checking Release.gpg

To: debian-devel@lists.debian.org
Subject: Re: Checking Release.gpg
From: Adrian 'Dagurashibanipal' von Bidder <grazdan@fortytwo.ch>
Date: Mon, 12 Jan 2004 13:54:00 +0100
Message-id: <[🔎] 1264170.9y6ehRsLLJ@altfrangg.fortytwo.ch>
References: <[🔎] Pine.LNX.4.56.0401120933490.17767@wr-linux02.rki.ivbb.bund.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Clinging to sanity, Andreas Tille mumbled in his beard:

> I think I followed
> 
>        http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html
> 
> paragraph 7.4.3 "Checking distribution releases" closely.  When running
> apt-check-sigs I get
> 
>       * COULDN'T CHECK SIGNATURE BY KEYID: 2DB1C72530B34DD5
>       * NO VALID SIGNATURE


Yo!

Apparently there are some Release files only signed with the old Release
key (38C6029A):

My keyring is 
=====
$ gpg --no-default-keyring --keyring trustedkeys.gpg --list-key
/home/avbidder/.gnupg/trustedkeys.gpg
- -------------------------------------
pub  1024D/38C6029A 2002-12-20 Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>

pub  1024D/30B34DD5 2003-12-03 Debian Archive Automatic Signing Key (2003 v2) <ftpmaster@debian.org>
=====

My sources.list:
=====
deb http://security.debian.org/ stable/updates main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ stable main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ stable/non-US main non-free contrib
deb http://security.debian.org/ testing/updates main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ testing main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ testing/non-US main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ unstable main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ unstable/non-US main non-free contrib
=====

And apt-check-sigs tells me everything is ok except
=====
Results
~~~~~~~

The contents of the following files in /var/lib/apt/lists does not
match what was expected. This may mean these sources are out of date,
that the archive is having problems, or that someone is actively using
your mirror to distribute trojans.

    security.debian.org_dists_stable_updates_main_binary-i386_Packages
=====

which is what I should except according to the Manual.


greets
- -- vbi

- -- 
Could this mail be a fake? (Answer: No! - http://fortytwo.ch/gpg/intro)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

iKcEARECAGcFAkACmPNgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fWq0IAnAiAs29Nr+hXqdgOIl4L2/0o
cQLqAKC/TdBpqPOhq8/lintM3yqP+/AVWg==
=H7oR
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Checking Release.gpg
  - From: Andreas Tille <tillea@rki.de>

References:
- Checking Release.gpg
  - From: Andreas Tille <tillea@rki.de>

Prev by Date: Re: [debian-devel] Re: fixing debconf stdin bug
Next by Date: Re: Temp maintainers wanted: fspanel, nload, openverse
Previous by thread: Checking Release.gpg
Next by thread: Re: Checking Release.gpg
Index(es):
- Date
- Thread