Re: Re: Sarge GPG Release signature
>FAQ, covered frequently in the past month here. See:
> http://www.debian-administration.org/articles/174
>... though the answer you need is in the discussion:
[...]
>Note you need *both* the 2006 *and* 2005 keys.
I have everything correct from the beginning:
# gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys
/root/.gnupg/trustedkeys.gpg
----------------------------
pub 1024D/276981F4 2004-12-24 [expires: 2008-01-06]
uid Volatile woody/sarge Archive Key
<katie@volatile.debian.net>
uid Volatile Archive Key 2005 <katie@volatile.debian.net>
pub 1024D/4F368D5D 2005-01-31 [expired: 2006-01-31)]
uid Debian Archive Automatic Signing Key (2005)
<ftpmaster@debian.org>
pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006)
<ftpmaster@debian.org>
So please, listen to me: the Sarge main archive is signed with an
EXPIRED key. I know most of you use Etch or SID, but some people are
actually trying to administrate safely and correctly Sarge servers.
Will we need to wait for 3.1r2 or should i trust and expired key ? And
if i should trust an expired key, why do they expire in the first place ?
Again, if i'm not on the right list, please redirect me :-)
TIA,
Alexandre
PS:
# gpgv --keyring trustedkeys.gpg --status-fd 1 Release.gpg Release
gpgv: Signature made Sat Dec 17 11:46:27 2005 CET using DSA key ID 4F368D5D
[GNUPG:] KEYEXPIRED 1138684904
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID /R7QWyOvlm8t3SJCcwo+j2bUiwI 2005-12-17 1134816387
[GNUPG:] EXPKEYSIG F1D53D8C4F368D5D Debian Archive Automatic Signing Key
(2005) <ftpmaster@debian.org>
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005)
<ftpmaster@debian.org>"
[GNUPG:] VALIDSIG 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D 2005-12-17
1134816387 0 3 0 17 2 00 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D
Reply to: