Re: Debian Archive Automatic Signing Key (4.0/etch)?

[A Mennucc <debdev@tonelli.sns.it>]

Julien Cristau ha scritto:
> On Wed, Nov 22, 2006 at 14:53:38 +0100, A Mennucc wrote:
> 
>> that package is only 2 days old and did not transition to etch yet
>>
>> so it is too early to start signing etch archives with it ....
>>
>> and it empties the whole idea : to restore my trust path , I
>> will have to manually download that package and install it
>>
> no, because the Release file is still signed with the 2006 key, which is
> in apt's keyring already.

you are right on that : I can check that at least one key is verifying OK
but gpgv returns an error for that;
so debmirror does not run : look

$ cd /var/lib/apt/lists
$ for i in *unstable*Release ; do echo =========== $i ; \
 gpg --verify $i.gpg $i && echo ==== OK ; done

=========== ftp.debian.org_debian_dists_unstable_Release
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 2D230C5F
gpg: Good signature from "Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 0847 50FC 01A6 D388 A643  D869 0109 0831 2D23 0C5F
gpg: Signature made Wed Nov 22 00:19:30 2006 CET using DSA key ID 6070D3A1
gpg: Can't check signature: public key not found

as you see, no OK is printed.

a.