Re: Debian Archive Signing Key to be changed

To: Alexander Reichle-Schmehl <tolimar@debian.org>
Cc: debian-release@lists.debian.org
Subject: Re: Debian Archive Signing Key to be changed
From: Ivan Jager <aij+@mrph.org>
Date: Tue, 9 Jun 2009 16:01:17 -0400
Message-id: <[🔎] 20090609200117.GA23665@mrph.org>
In-reply-to: <20090523181511.GE12638@melusine.alphascorpii.net>
References: <20090523181511.GE12638@melusine.alphascorpii.net>

Hi,

It appears that
http://ftp.debian.org/debian/dists/lenny/Release.gpg is only
being signed with the new key, not the old, so it is not trusted.

Lenny security updates are being signed with both keys, but there
does not seem to be a newer version of debian-archive-keyring
there, so I'm not sure what the trust path from the old key the
new is supposed to be. From the announcement, it sounded like the
Release file was supposed to be signed with both keys, but it
isn't.

I initially tried the Monday after the announcement, and thought
it would most likely get fixed after a few days, but still no
luck.

For reference, on lenny an apt-get update ends with the following
error:
W: There is no public key available for the following key IDs:
9AA38DCD55BE302B
W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
W: You may want to run apt-get update to correct these problems

Of course if you then try to install the new
debian-archive-keyring it gives you a big warning that it is
untrusted.

Anyways, sorry if I'm sending this to the wrong place, but I hope
you guys can fix it.

Thanks,
Ivan

On Sat, May 23, 2009 at 08:15:11PM +0200, Alexander Reichle-Schmehl scribbled thusly:
> ------------------------------------------------------------------------
> The Debian Project                                http://www.debian.org/
> Debian Archive Signing Key to be changed                press@debian.org
> Mai 23rd, 2009                  http://www.debian.org/News/2009/20090523
> ------------------------------------------------------------------------
> 
> Debian Archive Signing Key to be changed
> 
> The Debian Project wishes to announce the change of the GNU Privacy
> Guard key used to digitaly sign its archive reference files.  Signatures
> are used to ensure that packages installed by users are the very same
> originally distributed by Debian, and have not been exchanged or
> tempered with.
> 
> Affected distributions are the Debian unstable branch (codenamed "Sid")
> as well as the testing branch (codenamed "Squeeze").  The current stable
> version Debian GNU/Linux 5.0 (codenamed "Lenny") and the current
> oldstable version Debian GNU/Linux 4.0 (codenamed "Etch") will have
> their ftpmaster signature updated too. The release managers signature
> stays untouched.
> 
> The currently used key will expire soon.  The new key has already been
> distributed via the debian-archive-keyring package.  For users of the
> current stable release Debian GNU/Linux 5.0 (codenamed "Lenny") no
> action is required from the user side, since Debian GNU/Linux 5.0
> (codenamed "Lenny") was already shipped with the new key.  Users of the
> current oldstable release Debian GNU/Linux 4.0 (codenames "Etch") should
> ensure to have upgraded to the lates point release 4.0r8 which added an
> upgraded package containing the new key.  Users of Debian's testing
> branch (codenamed "Squeeze") and Debian's unstable branch (codenamed
> "Sid") should ensure to have at least version 2009.01.31 of the
> debian-archive-keyring package installed.
> 
> Starting with the next mirror update this evening and for the next three
> weeks the archive will be digitally signed by both the old and the new
> key.  Starting with the 13th of June only the new key will be used.
> 
> 
> For reference, the old key is
>   pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
>   uid                  Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>
> 
> and the new one
> 
>   pub   4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
>   uid                  Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>
> 
> 
> This key rollover is a normal maintainance task and was started in
> January.  For security reasons Debian's archive signing keys regularily
> expire after three years.
> 
> 
> About Debian
> 
> The Debian project is an organisation of many developers who volunteer their
> time and effort, collaborating via the Internet.  Their tasks include
> maintaining and updating Debian GNU/Linux which is a free distribution of the
> GNU/Linux operating system.  Debian's dedication to Free Software, its
> non-profit nature, and its open development model makes it unique among
> GNU/Linux distributions.
> 
> Contact Information
> 
> For further information, please send email to the Debian Press Team
> <press@debian.org> or visit the Debian homepage at <http://www.debian.org/>.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: Debian Archive Signing Key to be changed
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: [SRM] Stable upgrade for apr-util
Next by Date: Re: SuiteSparse 3.2.0->3.3.0 transition
Previous by thread: Re: [SRM] Stable upgrade for apr-util
Next by thread: Re: Debian Archive Signing Key to be changed
Index(es):
- Date
- Thread