Problem with signatures on LTS Release file
On Sun, Apr 26, 2015 at 09:34:00AM +0200, David Ayers wrote:
> and congratulations on the release of Jessie! But I think im seeing
> some unexpected side effects, at least from my point of view.
>
> This is the contents an sources.list of one of my squeeze systems:
...
> an aptitude update currently produces:
> W: There is no public key available for the following key IDs:
> 7638D0442B90D010
> W: There is no public key available for the following key IDs:
> 7638D0442B90D010
>
> This key seems to be a key relevant for Jessie release:
> Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
> It is signed by the wheezy release key:
> 46925553 2014-11-21 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
>
> So I'm assuming that this is legitimate and it would be safe to:
> gpg -a --export 7638D0442B90D010|sudo apt-key add -
>
> But it would be nice if that wouldn't be necessary.
> And it is unclear to me, why this key should be relevant for Squeeze.
It's actually signed by both the wheezy key (46925553) and the jessie
key (2B90D010); the latter is the one it's complaining about. At least
on my squeeze system, the wheezy key is already in the apt trusted store
(indeed, it was added to debian-archive-keyring in 2010.08.28+squeeze1).
I assume that the intention was that systems with either the wheezy
and/or jessie key would be able to verify the signature, but this doesn't
seem to be the case, at least with the version of gpg/apt in squeeze.
Perhaps the FTP-masters need to drop the jessie signature for
squeeze-lts? CCing them for their comments (together with a big thank you
for the release work yesterday!)
Cheers,
Dominic
Reply to: