double GPG signature in Release files

To: debian-devel@lists.debian.org
Subject: double GPG signature in Release files
From: A Mennucc <debdev@tonelli.sns.it>
Date: Wed, 22 Nov 2006 14:30:12 +0100
Message-id: <[🔎] 456450E4.80001@tonelli.sns.it>

hi

I use amd64 here ; recently all tools (aptitude, debmirror)
started complaining that archives are not properly signed ;
here is a snippet of code to show the situation:

$ cd /var/lib/apt/lists
$ for i in *Release ; do echo =========== $i ; \
 gpg --verify $i.gpg $i && echo ==== OK ; done

=========== ftp.debian.org_debian_dists_unstable_Release
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 6070D3A1
gpg: Can't check signature: public key not found
=========== ftp.it.debian.org_debian_dists_etch_Release
gpg: Signature made Wed Nov 22 00:18:42 2006 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
gpg: Signature made Wed Nov 22 00:18:42 2006 CET using DSA key ID 6070D3A1
gpg: Can't check signature: public key not found
=========== ftp.it.debian.org_debian_dists_unstable_Release
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 6070D3A1
gpg: Can't check signature: public key not found
=========== security.debian.org_dists_etch_updates_Release
gpg: Signature made Tue Nov 21 19:14:24 2006 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
==== OK


as you see many archives seem to be signed with two keys:
1st is key 2D230C5F
 "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"
2nd is a key 6070D3A1

why this ?

where do I find the latter key ?

a.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: double GPG signature in Release files
  - From: A Mennucc <debdev@tonelli.sns.it>

Prev by Date: Bug#399844: ITP: samba4wins -- a full featured replicating WINS server for UNIX
Next by Date: Re: Debian Archive Automatic Signing Key (4.0/etch)?
Previous by thread: Bug#399844: ITP: samba4wins -- a full featured replicating WINS server for UNIX
Next by thread: Re: double GPG signature in Release files
Index(es):
- Date
- Thread