[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Archive Signing Key to be changed



On Tue, Jun 09, 2009 at 04:01:17PM -0400, Ivan Jager wrote:
> It appears that
> http://ftp.debian.org/debian/dists/lenny/Release.gpg is only
> being signed with the new key, not the old, so it is not trusted.
> 
> Lenny security updates are being signed with both keys, but there
> does not seem to be a newer version of debian-archive-keyring
> there, so I'm not sure what the trust path from the old key the
> new is supposed to be. From the announcement, it sounded like the
> Release file was supposed to be signed with both keys, but it
> isn't.
> 
> I initially tried the Monday after the announcement, and thought
> it would most likely get fixed after a few days, but still no
> luck.
> 
> For reference, on lenny an apt-get update ends with the following
> error:
> W: There is no public key available for the following key IDs:
> 9AA38DCD55BE302B
> W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
> W: You may want to run apt-get update to correct these problems
> 
> Of course if you then try to install the new
> debian-archive-keyring it gives you a big warning that it is
> untrusted.

Actually it shouldn't.  It's true that apt warns about a new signature
that cannot be verified, but that shouldn't cause apt to think that the
repository is untrusted, because there is still at least one trusted
signature on it (the offline release key).

So you should be able to upgrade debian-archive-keyring without a
warning...

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature


Reply to: