Re: apt-check-sigs problem (plz cc adambarton@mac.com)

To: Debian User List <debian-user@lists.debian.org>
Cc: Adam Barton <adambarton@mac.com>
Subject: Re: apt-check-sigs problem (plz cc adambarton@mac.com)
From: Adam Barton <adambarton@mac.com>
Date: Thu, 08 Jan 2004 00:28:44 +0000
Message-id: <[🔎] 3FFCA43C.5000509@mac.com>
In-reply-to: <[🔎] 3FFC98DA.6020104@mac.com>
References: <[🔎] 3FFC9830.7090202@mac.com> <[🔎] 3FFC98DA.6020104@mac.com>

Adam Barton wrote:

Adam Barton wrote:
People,
Perhaps you could give me a hand with an issue I am having with theapt-check-sigs script. Also would you mind CCing me on your responsesas I am off list right now.
I have been updating with 'apt-get update && apt-get dist-upgrade'which has been working fine but I now want to use the apt-check-sigsscript to ensure I am using authentic Debian packages.
However, when I run apt-check-sigs I get many gpg: error reading key:public key not found errors and I am not sure to interpret the results.
How should I go about troubleshooting this?
I have already downloadedhttp://ftp-master.debian.org/ziyi_key_2003.asc and installed it using'gpg --no-default-keyring --keyring trustedkeys.gpg --importziyi_key_2003.asc' as root.
I have also changed by sources to use ftp.us.debian.org (not that Ireally think this is so important, but I did notice a release filethat didn't have an associated .gpg file on mirror.ac.uk)
Below is the real info.

Kind regards,

Adam Barton.
[SNIPPED]
Also, it would be wonderful if someone could detail how to manuallyverify release file using gpgv manually.
Kind regards,

Adam Barton.



Ok... perhaps I should stop posting now ;)

If I manually verify ftp://ftp.debian.org/debian/dists/stable/Release &Release.gpg I get the following:


blueboy:~# gpg --verify ./Release.gpg ./Release
gpg: Signature made Thu Nov 20 19:57:33 2003 CET using DSA key ID 38C6029A

gpg: Good signature from "Debian Archive Automatic Signing Key (2003)<ftpmaster@debian.org>"

Could not find a valid trust path to the key.  Let's see whether we
can assign some missing owner trust values.

No path leading to one of our keys found.

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to theowner.

gpg: Fingerprint: EB2F A2AF 170D 2359 26A7  7BF3 B629 A24C 38C6 029A
gpg: Signature made Wed Dec 31 17:26:06 2003 CET using DSA key ID 30B34DD5
gpg: Can't check signature: public key not found
blueboy:~#
blueboy:~#



Reimporting the 'latest' (????) key I notice that the key IDs are different

blueboy:~# gpg --import ./ziyi_key_2003.asc
gpg: key 38C6029A: public key imported
gpg: Total number processed: 1
gpg:               imported: 1
blueboy:~#


So I guess I don't have an up to date ziyi public key.

Can anyone confirm this for me... and if I am correct, when can I findthe key with ID 30B34DD5?


I am going to bed now :D

Kind regards,

Adam Barton.

Reply to:

Follow-Ups:
- Re: apt-check-sigs problem (plz cc adambarton@mac.com)
  - From: Adam Barton <adambarton@mac.com>

References:
- apt-check-sigs problem (plz cc adambarton@mac.com)
  - From: Adam Barton <adambarton@mac.com>
- Re: apt-check-sigs problem (plz cc adambarton@mac.com)
  - From: Adam Barton <adambarton@mac.com>

Prev by Date: installing new kernel packages
Next by Date: Re: best way to storing old mail (mhonarch, archivemail,...,?)
Previous by thread: Re: apt-check-sigs problem (plz cc adambarton@mac.com)
Next by thread: Re: apt-check-sigs problem (plz cc adambarton@mac.com)
Index(es):
- Date
- Thread