hi I use amd64 here ; recently all tools (aptitude, debmirror) started complaining that archives are not properly signed ; here is a snippet of code to show the situation: $ cd /var/lib/apt/lists $ for i in *Release ; do echo =========== $i ; \ gpg --verify $i.gpg $i && echo ==== OK ; done =========== ftp.debian.org_debian_dists_unstable_Release gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 2D230C5F gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 6070D3A1 gpg: Can't check signature: public key not found =========== ftp.it.debian.org_debian_dists_etch_Release gpg: Signature made Wed Nov 22 00:18:42 2006 CET using DSA key ID 2D230C5F gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F gpg: Signature made Wed Nov 22 00:18:42 2006 CET using DSA key ID 6070D3A1 gpg: Can't check signature: public key not found =========== ftp.it.debian.org_debian_dists_unstable_Release gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 2D230C5F gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 6070D3A1 gpg: Can't check signature: public key not found =========== security.debian.org_dists_etch_updates_Release gpg: Signature made Tue Nov 21 19:14:24 2006 CET using DSA key ID 2D230C5F gpg: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F ==== OK as you see many archives seem to be signed with two keys: 1st is key 2D230C5F "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" 2nd is a key 6070D3A1 why this ? where do I find the latter key ? a.
Attachment:
signature.asc
Description: OpenPGP digital signature