[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Empty Release.gpg files and Debian Archive key for 2005


Note: maybe replace "apt-secure" with "apt/experimental" below since the package isn't called apt-secure, it's called apt and available from experimental.

Firstly: I'm spending much more time handling apt-secure than I'd like, just because I'm not getting the relevant information. It would really help if there would be a central place for getting information. When are the new keys released, by whom, where are they announced? Ok they are released now, and I've found out where (see "wget" below), but it came as a surprise and coupled with other problems.

At 16:58 Uhr +0100 29.01.2005, Michal J. Gajda wrote:
I'm probably not the only one to notice, that Release.gpg files for unstable and
testing are empty,

Yes, I've seen that as well. (And apt-secure from experimental seemed to choke on that, it didn't give any sensible error message until I tried apt-get update -o Debug::Acquire::gpgv=yes)

 and that Debian Archive key for 2005 seems not to appear in

"Hum, I thought they are, on purpose, not included there, since the archive signing keys are not maintainer keys" -- ehr, I realize you're not talking about the debian-keyring package. I wasn't aware that there's such a file on the system. Hm, it's from the apt package. (How would I be able to upgrade to a newer apt package containing the new key if apt doesn't work anymore because of the missing key?.. apt would need the new key long before it was actually in use on the debian archives, so that users have the new key installed in time. And how to handle that when sarge is stable, will a newer apt be offered as part of security updates? Shouldn't the above keyring be offered in a package separate from apt?)

When can I hope new Debian Archive for 2005 to appear?
Who can fix the problem?
Is there a workaround? (Some way to use apt and verify packages by myself?)

From what I've read in the apt-secure docs (it seems they are currently at http://www.syntaxpolice.org/apt-secure/index.html ?) you should add the key to /etc/apt/trusted.gpg.

# cd /etc/apt/
# gpg --no-default-keyring --keyring ./trusted.gpg --list-keys --with-fingerprint
..Debian Archive Automatic Signing Key (2004)..
# wget 'http://ftp-master.debian.org/ziyi_key_2005.asc'
# gpg --no-default-keyring --with-fingerprint ziyi_key_2005.asc
pub 1024D/4F368D5D 2005-01-31 Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>
  Schl.-Fingerabdruck = 4C7A 8E5E 9454 FE3F AE1E  78AD F1D5 3D8C 4F36 8D5D
# gpg --no-default-keyring --keyring ./trusted.gpg --import ziyi_key_2005.asc
..Debian Archive Automatic Signing Key (2005)..importiert

At 21:03 Uhr +0100 29.01.2005, Florian Weimer wrote:
* Michal J. Gajda:

 When can I hope new Debian Archive for 2005 to appear?
 Who can fix the problem?

I've suggested to the ftp-masters to add a new self-signature to the
2004 key as a temporary measure.  This should fix the Release file

Hm, I can't make any sense of this statement. If you don't have the public key, no self-signature will help at all. And even if apt-secure would fetch the key from somewhere and trust it because of some signature: if it is made right, it should complain about missing real signature. So why would a self-signature help?

I feel there's a lack of a central source of information about all the public key related topics around Debian. I can't find any info on www.debian.org. I realize there is http://wiki.debian.net, maybe that would be a place to start such a page?

- Who is doing what in the apt-secure, package archive signing keys, ...? Is there a leader?
- what's the status of apt-secure? Will it enter Debian soon? Will it later?
- it seems that other Debian based distributions are already using apt-secure (while googling, I've found a blog where someone is explaining how to solve the key issues and he didn't sound like he installed apt-secure himself). Is that true? Any links about how they are doing it?

(One should also mention the other 'solutions' out there for signature checking (some shellscripts are/have been floating around some time ago). And mention how to check source packages. ...)


Lastly: it seems, that currently the woody archive is broken. A Release.gpg file is there, created with the 2005 key, but it's signature doesn't match the Release file.

- Is this a bug in the master server?
- Is it because not both files have been mirrored at the same time? (I'm using de.debian.org server). Is it a general problem of apt-secure?.


Reply to: