Re: Debian Archive Signing Key to be changed
On Wed, Jun 10, 2009 at 10:41:18AM +0200, Philipp Kern scribbled thusly:
> On Tue, Jun 09, 2009 at 04:01:17PM -0400, Ivan Jager wrote:
> > It appears that
> > http://ftp.debian.org/debian/dists/lenny/Release.gpg is only
> > being signed with the new key, not the old, so it is not trusted.
> >
> > Lenny security updates are being signed with both keys, but there
> > does not seem to be a newer version of debian-archive-keyring
> > there, so I'm not sure what the trust path from the old key the
> > new is supposed to be. From the announcement, it sounded like the
> > Release file was supposed to be signed with both keys, but it
> > isn't.
> >
> > I initially tried the Monday after the announcement, and thought
> > it would most likely get fixed after a few days, but still no
> > luck.
> >
> > For reference, on lenny an apt-get update ends with the following
> > error:
> > W: There is no public key available for the following key IDs:
> > 9AA38DCD55BE302B
> > W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
> > W: You may want to run apt-get update to correct these problems
FWI, if I only have security.d.o in sources.list I only get the
first and last warning, and it doesn't warn about unverified
packages when installing. With ftp.us.d.o I also get the second
warning and later it does complain when I try to install
packages.
> > Of course if you then try to install the new
> > debian-archive-keyring it gives you a big warning that it is
> > untrusted.
>
> Actually it shouldn't. It's true that apt warns about a new signature
> that cannot be verified, but that shouldn't cause apt to think that the
> repository is untrusted, because there is still at least one trusted
> signature on it (the offline release key).
Ok, something funny is definitely going on. Running gpg on
security.debian.org_dists_lenny_updates_Release.gpg shows both
signatures, whereas running gpg on
ftp.us.debian.org_debian_dists_lenny_Release.gpg warns that "gpg:
WARNING: multiple signatures detected. Only the first will be
checked." and of course that happens to be the 55BE302B
signature.
Anyways, I worked around the problem on that machine by copying
the keys from a squeeze box that I trust (which is why I have a
*_lenny_Release.gpg file now), but I can still reproduce the
problem on an etch machine, which I will most likely upgrade
after this is solved.
For reference, here is the output of GPG:
On lenny (with the keys copied from squeeze):
kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg security.debian.org_dists_lenny_updates_Release.gpg
Detached signature.
Please enter name of data file:
No such file, try again or hit enter to quit.
Please enter name of data file: security.debian.org_dists_lenny_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using RSA key ID 55BE302B
gpg: Good signature from "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B
gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using DSA key ID 6070D3A1
gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1
kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg ftp.us.debian.org_debian_dists_lenny_Release.gpg
gpg: WARNING: multiple signatures detected. Only the first will be checked.
Detached signature.
Please enter name of data file: ftp.us.debian.org_debian_dists_lenny_Release
gpg: Signature made Sat 23 May 2009 01:31:55 PM EDT using RSA key ID 55BE302B
gpg: Good signature from "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B
And on etch without the new keys installed:
explorer:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg
Detached signature.
Please enter name of data file: security.debian.org_dists_etch_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using RSA key ID 55BE302B
gpg: Can't check signature: public key not found
gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using DSA key ID 6070D3A1
gpg: Good signature from "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1
explorer:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg ~/Release.gpg
gpg: WARNING: multiple signatures detected. Only the first will be checked.
Detached signature.
Please enter name of data file: ftp.us.debian.org_debian_dists_etch_Release
gpg: Signature made Sat 23 May 2009 01:28:27 PM EDT using RSA key ID 55BE302B
gpg: Can't check signature: public key not found
(Note that ~/Release.gpg was downloaded manually because apt-get
wouldn't keep the .gpg file it couldn't verify.)
My best guess is that the ftp.d.o Release.gpg files are being
created in a different way than the security.d.o ones, but I
don't know nearly enough about gpg to hazard a guess as to how.
Thanks for CCing me as I'm not on the list.
Ivan
Reply to: