Question about Debian archive signing keys

To: debian-release@lists.debian.org
Subject: Question about Debian archive signing keys
From: F!nTcH <fintch@fintch.org>
Date: Mon, 3 Aug 2020 17:40:28 +0200
Message-id: <[🔎] 6d97733a-c464-28b9-cf7a-80b825d964eb@fintch.org>

Hello everybody

I would like to share my observations and ask you if there is something
wrong about key used to sign the Buster Debian Archive, or if I missed
something in all explanations I've read all around the Internet.

Let's do some commands (not optimized at all, those are for large
explanation only) :

$ mkdir tmp
$ cd tmp
$ mkdir buster
$ mkdir stretch
$ cd buster
$ wget http://ftp.fr.debian.org/debian/dists/buster/Release
$ wget http://ftp.fr.debian.org/debian/dists/buster/Release.gpg
$ cd ../stretch
$ wget http://ftp.fr.debian.org/debian/dists/stretch/Release
$ wget http://ftp.fr.debian.org/debian/dists/stretch/Release.gpg

At this point, we have both Buster and Stretch "Release" file, and the
associated GPG signature.

While we are in stretch folder, let's do GPG verification :

$ gpgv --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg Release.gpg
Release
gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
gpgv:                avec la clef RSA
126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(8/jessie) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 18 juil. 2020 12:52:12 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 18 juil. 2020 12:56:21 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org> »

All is OK. 3 public keys are used : Jessie Automatic, Stretch Automatic
and Stretch Stable. All seems good.

But, if I do the same with Buster, it fails !

$ cd ../buster
$ gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
--keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
--keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
Release.gpg Release
gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
gpgv:                avec la clef RSA
0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Impossible de vérifier la signature : Pas de clef publique

The last key seems wrong. We have good signature for Stretch Automatic
and Buster Automatic but not for Buster Stable. A quick look shows up
that the missing key is in fact Stretch Stable, according to fingerprint.

Success if I change command line with correct keyring.

$ gpgv --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyring
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg Release.gpg
Release
gpgv: Signature faite le sam. 01 août 2020 13:06:36 CEST
gpgv:                avec la clef RSA
16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:06:37 CEST
gpgv:                avec la clef RSA
0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpgv: Bonne signature de « Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org> »
gpgv: Signature faite le sam. 01 août 2020 13:10:12 CEST
gpgv:                avec la clef RSA
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpgv:                issuer "debian-release@lists.debian.org"
gpgv: Bonne signature de « Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org> »

So my question is really simple : is it correct to sign Buster Archive
"Release" file with Stretch Stable key ? In my opinion, it should be
done with Buster Stable key.

But, as I said at first, I may miss something.

Anyway, thanks a lot for your great job !

Regards

Reply to:

Follow-Ups:
- Re: Question about Debian archive signing keys
  - From: Andrew Cater <amacater@gmail.com>
- Re: Question about Debian archive signing keys
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#967048: unblock: win32-loader/0.10.1
Next by Date: Re: Question about Debian archive signing keys
Previous by thread: Bug#967048: unblock: win32-loader/0.10.1
Next by thread: Re: Question about Debian archive signing keys
Index(es):
- Date
- Thread