Re: Impossible to verify GPG signature on Debian Release file

[Jonathan Wiltshire <jmw@debian.org>]

On Tue, Nov 23, 2021 at 04:24:21PM +0100, john doe wrote:
> $gpg --keyserver keyring.debian.org --keyserve
> r-options auto-key-retrieve --verify Release.gpg Release

The keyserver you're using holds developer's keys, not others like the role
keys. From a Debian system and for the bullseye release file:

$ gpg --no-default-keyring --no-auto-check-trustdb --keyring /usr/share/keyrings/debian-archive-bullseye-stable.gpg --verify Release.gpg Release
[.. gpg noise ..]
gpg: Signature made Sat 09 Oct 2021 10:49:02 BST
gpg:                using RSA key A4285295FC7B1A81600062A9605C66F00D6C9793
gpg:                issuer "debian-release@lists.debian.org"
gpg: Good signature from "Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A428 5295 FC7B 1A81 6000  62A9 605C 66F0 0D6C 9793

Substitute other keyrings for different suites.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1