Adam Barton wrote:
Adam Barton wrote:[SNIP]If I manually verify ftp://ftp.debian.org/debian/dists/stable/Release & Release.gpg I get the following:blueboy:~# gpg --verify ./Release.gpg ./Releasegpg: Signature made Thu Nov 20 19:57:33 2003 CET using DSA key ID 38C6029A gpg: Good signature from "Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>"Could not find a valid trust path to the key. Let's see whether we can assign some missing owner trust values. No path leading to one of our keys found. gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.gpg: Fingerprint: EB2F A2AF 170D 2359 26A7 7BF3 B629 A24C 38C6 029Agpg: Signature made Wed Dec 31 17:26:06 2003 CET using DSA key ID 30B34DD5gpg: Can't check signature: public key not found blueboy:~# blueboy:~#Reimporting the 'latest' (????) key I notice that the key IDs are differentblueboy:~# gpg --import ./ziyi_key_2003.asc gpg: key 38C6029A: public key imported gpg: Total number processed: 1 gpg: imported: 1 blueboy:~# So I guess I don't have an up to date ziyi public key.Can anyone confirm this for me... and if I am correct, when can I find the key with ID 30B34DD5?Can anyone confirm this? Does anyone actually used apt-check-sigs at all, or do you simply 'dist-upgrade' without it? Perhaps a more useful question in my case would be is anyone using apt-check-sigs successfully with ftp://ftp.debian.org/ dists/stable in their sources.list ? If so, what keys are you using? Kind regards, Adam Barton.
Pretzalz:/# apt-key list /etc/apt/trusted.gpg --------------------pub 1024D/30B34DD5 2003-12-03 Debian Archive Automatic Signing Key (2003 v2) <ftpmaster@debian.org>
pub 1024D/38C6029A 2002-12-20 Debian Archive Automatic Signing Key (2003) <ftpmaster@debian.org>
30B34DD5 was created after the compromise and shouldn't be hard to find on any major keyring. 38C6029A is considered unsecure because of the compromise, but I am not sure if it really is or they are just being safe.
Attachment:
pgphSVescSlJv.pgp
Description: PGP signature