[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Update of debian-archive-keyring in stretch?

Hi,

On Sat, Oct 02, 2021 at 09:35:56PM +0530, Utkarsh Gupta wrote:
> Hi Jonathan,
> 
> On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog <hertzog@debian.org> wrote:
> > it would be nice if we could get an update of debian-archive-keyring
> > in stretch to add the bullseye key just like it has been done in buster a
> > while ago:
> >
> https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/

I do wonder to what end - for building things more easily on stretch
perhaps? From the RT point of view, you only need to ensure smooth upgrades
to the next release, we don't support skipping.

Anyway...

> Whilst prepping an update for stretch, I cherry-picked the following
> commits from the salsa repository w cross-checking the update
> as proposed via #985371:
> 
> 464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic
> signing keys for bullseye.
> 
> 379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian
> Stable Release Key (11/bullseye).
> 
> 74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh
> signatures over keyrings/debian-archive-keyring.gpg (and not
> keyrings/debian-archive-removed-keys.gpg since I'm not
> removing any keys in this update).
> 
> With these 3 commits, I tried to build the package and it failed
> with the following error:
> 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
> gpg --no-options --no-default-keyring --no-auto-check-trustdb
> --trustdb-name ./trustdb.gpg \
> --keyring keyrings/team-members.gpg \
> --verify active-keys/index.gpg active-keys/index
> gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
> gpg:                using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9
> gpg: ./trustdb.gpg: trustdb created
> gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired]
> Makefile:9: recipe for target 'verify-indices' failed
> 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
> 
> I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
> that is, updating your key. But it still failed with the same
> error. I am not sure what's up? Do you have an idea what's
> happening? TIA!

You will need (but may not want) the commit removing jessie's keys as well.
Basically all intermediate commits which touch keyrings - a removal is
really a move from the main keyring to the archive keyring, so it will
change the makeup of the keyring and fail the validation.

If you actually need the jessie keys kept, as I suspect you do, I can
prepare a stretch branch with new signatures on it in a few days.

I intend to simplify the whole thing significantly in bookworm; this whole
jetring and gpg validation thing makes for a lot of maintenance pain.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: