[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt no verify key in sid

Adam Mercer wrote:

> I've just upgraded my sid box and now apt is complaining that the
> packages are untrusted e.g.


> skymoo:~# apt-key list
> /etc/apt/trusted.gpg
> --------------------
> pub   1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
> uid                  Debian Archive Automatic Signing Key (2005)
> <ftpmaster@debian.org>

> yet apt still complains about untrusted packages.

> Do I need any other keys in the keyring?

There is an easy way to test this.
In /var/lib/apt/list you will find the Release and Release.gpg files
from your sources. Just verify them manually:

|$ gpg --verify /var/lib/apt/lists/ftp.debian.org_debian_dists_sid_Release.gpg \
| /var/lib/apt/lists/ftp.debian.org_debian_dists_sid_Release
|gpg: Signature made Fri Jul  1 21:32:07 2005 CEST using DSA key ID 4F368D5D
|gpg: Can't check signature: public key not found

Even when the key is not on your keyring, gpg will tell you wich key is
Just check all the Release/Release.gpg pairs in /var/lib/apt/lists and
you will know wich keys you have to add.

If you have some unofficial sources for debian packages, then it is
quite possible that they aren't signed. (You will find then only a
Release file without a corresponding Release.gpg)

Thomas Weinbrenner

Attachment: pgpXBTSxcRkOI.pgp
Description: PGP signature

Reply to: