Adam Mercer wrote: > I've just upgraded my sid box and now apt is complaining that the > packages are untrusted e.g. [...] > skymoo:~# apt-key list > /etc/apt/trusted.gpg > -------------------- > pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31] > uid Debian Archive Automatic Signing Key (2005) > <ftpmaster@debian.org> > yet apt still complains about untrusted packages. > Do I need any other keys in the keyring? There is an easy way to test this. In /var/lib/apt/list you will find the Release and Release.gpg files from your sources. Just verify them manually: |$ gpg --verify /var/lib/apt/lists/ftp.debian.org_debian_dists_sid_Release.gpg \ | /var/lib/apt/lists/ftp.debian.org_debian_dists_sid_Release |gpg: Signature made Fri Jul 1 21:32:07 2005 CEST using DSA key ID 4F368D5D |gpg: Can't check signature: public key not found Even when the key is not on your keyring, gpg will tell you wich key is needed. Just check all the Release/Release.gpg pairs in /var/lib/apt/lists and you will know wich keys you have to add. If you have some unofficial sources for debian packages, then it is quite possible that they aren't signed. (You will find then only a Release file without a corresponding Release.gpg) -- Thomas Weinbrenner
Attachment:
pgpBQHg3Qq7ZU.pgp
Description: PGP signature