[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT Signature verification public key

On Tue, Apr 24, 2012 at 12:19, Ritesh Raj Sarraf <rrs@debian.org> wrote:
> rrs@champaran:/tmp/apt-offline-downloads-31824$ sudo gpgv
> --ignore-time-conflict --keyring /etc/apt/trusted.gpg --homedir
> /etc/apt/trusted.gpg.d/  /tmp/InRelease.txt
> gpgv: Signature made Tuesday 24 April 2012 01:48:25 PM IST using RSA key
> ID 473041FA
> gpgv: Can't check signature: public key not found

I don't think --homedir does work in a way you would need it to work.
/etc/apt/trusted.gpg.d/ can include various additional keyrings - the
debian-archiv-keyring is one of them. So beside /etc/apt/trusted.gpg
you have to pass also all the keyrings in this directory to gpgv.
$ run-parts --list /etc/apt/trusted.gpg.d/ --regex '^.*\.gpg$'
Will get you a list of files to add. See also apt-key for an example.

But maybe you are able to use SigVerify::RunGPGV in apt-pkg/indexcopy.cc
or apt's gpgv method (/usr/lib/apt/methods/gpgv) text interface instead of
reimplementing them, depending on what you actually need.

Best regards

David Kalnischkies

Reply to: