Re: Question about Debian archive signing keys

To: F!nTcH <fintch@fintch.org>
Cc: debian-release@lists.debian.org
Subject: Re: Question about Debian archive signing keys
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Mon, 03 Aug 2020 20:49:18 +0100
Message-id: <[🔎] 41ca181d9b3b08d6579476ac6aaddd16257a68ba.camel@adam-barratt.org.uk>
In-reply-to: <[🔎] 6d97733a-c464-28b9-cf7a-80b825d964eb@fintch.org>
References: <[🔎] 6d97733a-c464-28b9-cf7a-80b825d964eb@fintch.org>

On Mon, 2020-08-03 at 17:40 +0200, F!nTcH wrote:
> I would like to share my observations and ask you if there is
> something wrong about key used to sign the Buster Debian Archive, or
> if I missed something in all explanations I've read all around the
> Internet.
> 
> But, if I do the same with Buster, it fails !
[...]
> gpgv:                avec la clef RSA
> 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
> gpgv:                issuer "debian-release@lists.debian.org"
> gpgv: Impossible de vérifier la signature : Pas de clef publique
> 
> The last key seems wrong. We have good signature for Stretch
> Automatic and Buster Automatic but not for Buster Stable. A quick
> look shows up that the missing key is in fact Stretch Stable,
> according to fingerprint.

Oops. Thanks for bringing this to our attention.

You are correct that the SRM signature should be from the buster key.
We're working with ftp-master to get an additional signature added that
uses that key. (So 10.5's release files will have 4 signatures rather
than the usual 3.)

Regards,

Adam

Reply to:

Follow-Ups:
- Re: Question about Debian archive signing keys
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Question about Debian archive signing keys
  - From: F!nTcH <fintch@fintch.org>

Prev by Date: Re: Question about Debian archive signing keys
Next by Date: Re: Question about Debian archive signing keys
Previous by thread: Re: Question about Debian archive signing keys
Next by thread: Re: Question about Debian archive signing keys
Index(es):
- Date
- Thread