[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: public key warning

On Wed, Nov 22, 2006 at 13:58:52 +0800, Deephay wrote:
> On 11/22/06, Kevin Mark <kevin.mark@verizon.net> wrote:
> >On Wed, Nov 22, 2006 at 03:12:27PM +1100, M-L wrote:
> >> On Wednesday 22 November 2006 15:08, Mark Grieveson wrote:
> >> > Hello.  After a recent upgrade of my Etch, I get the following warning:
> >> >
> >> > Fetched 30.2kB in 9s (3350B/s)
> >> > Reading package lists... Done
> >> > W: There are no public key available for the following key IDs:
> >> > A70DAF536070D3A1
> >> > W: You may want to run apt-get update to correct these problems
> >> >
> >> > What does this mean?  Should I be concerned?  Is anyone else receiving
> >> > this warning?
> >> >
> >> > Thanks,
> >> >
> >> > Mark
> >>
> >> I am, and assumed that there was just a glitch with one of the packages
> >> signings, or someones ID key being out of date, changed or something 
> >similar?
> >
> >This will fix that:
> >gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a A70DAF536070D3A1 | 
> >apt-key add -)
> >something about keys changing...
> >Cheers,
> >Kev
> Will this be fixed automatically later?

It is not really broken at the moment because all the package lists are
also still signed with the old automatic signing key (2D230C5F).
Therefore you can just ignore the message; one verifiable signature is
enough for apt.

I expect that the new key will be included in the Debian archive keyring
soon. (/usr/share/keyrings/debian-archive-keyring.gpg from package
debian-archive-keyring) I would rather wait and add the new key by
extracting it from that archive once it is included; it is not really
logical to let apt trust keys that are downloaded from a keyserver
without additional verification. You open yourself to man-in-the-middle
attacks which makes the signing of package debsums rather pointless. If
you accept unverified keys then you might as well just accept unverified
packages directly. On the other hand, if you add the key from the Debian
keyring package then you just transfer your trust of the old key to the
new key without introducing any additional insecurities (assuming that
the new package can be verified with the old key).

I guess that the post-install script of the updated keyring package
could add the new key automatically to apt's keyring, but I do not know
if this will indeed be the case.


Reply to: