Re: backports

To: debian-user@lists.debian.org
Subject: Re: backports
From: Chris Lale <chrislale@untrammelled.co.uk>
Date: Mon, 02 Jul 2007 11:35:19 +0100
Message-id: <[🔎] 4688D4E7.9030204@untrammelled.co.uk>
In-reply-to: <20070627213431.GA7390@localhost>
References: <921460.65725.qm@web58904.mail.re1.yahoo.com> <467CE0D9.2080905@untrammelled.co.uk> <20070623160324.GA14166@dementia.proulx.com> <467D4A23.1080002@untrammelled.co.uk> <20070623230745.GA4063@localhost> <467E231D.2050406@untrammelled.co.uk> <20070624101026.GA4439@localhost> <46828FE3.2030807@untrammelled.co.uk> <20070627213431.GA7390@localhost>

Florian Kulzer wrote:
[...]
> 
> Here is a procedure for paranoid people, starting after your step 2; all
> these commands should be run as an unprivileged user. (The key is
> extracted manually and added to the unprivileged user's keyring; then it
> can be checked without risk.)
> 
> aptitude download debian-backports-keyring
> mkdir tempdir
> dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/
> mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg .
> rm -rf tempdir/
> gpg --import debian-backports-keyring.gpg
> gpg --list-sig 16BA136C
> gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 16BA136C
> 
> If the key has a valid signature of a Debian developer then you can
> export it and add it to apt's key ring. (See my earlier mail.) After
> that you can install the desired backports packages, including the
> backports keyring package for convenience in case of future key updates.
> 
> BTW, the debian-multimedia archive is a special case since Christian
> Marillat does not use a dedicated archive key; he signs the release
> files with his normal public key. This key is already included in the
> debian-keyring package, so you can simply (and safely) export the key
> from this keyring and feed it to apt:
> 
> gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg -a --export 1F41B907 | sudo apt-key add -
> 

This works fine for backports.org and debian-multimedia.org. Unfortunately, the
keyring from debian-unofficial.org is not signed in the same way:

$ gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-unofficial-archive-keyring.gpg --list-sigs
/usr/share/keyrings/debian-unofficial-archive-keyring.gpg
---------------------------------------------------------
pub   1024D/24C52AC3 2007-01-24 [expires: 2008-02-01]
uid                  Debian Unofficial Archive Automatic Signing Key (2007)
<ftpmaster@debian-unofficial.org>
sig 3        24C52AC3 2007-01-24  Debian Unofficial Archive Automatic Signing
Key (2007) <ftpmaster@debian-unofficial.org>
sig          4B2B2B9E 2007-01-24  [User ID not found]

There is no such sig as 4B2B2B9E on the debian-keyring

$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg
--check-sig 4B2B2B9E
gpg: error reading key: public key not found

or on a public keyserver

$ gpg --keyserver hkp://subkeys.pgp.net --list-key 4B2B2B9E
gpg: error reading key: public key not found

I think that the best one can do in this case is to take Daniel Baumann's name
from the debian-unofficial website[1] and check that he has an entry in the
Debian developer database[2].

[1] http://www.debian-unofficial.org/
[2] http://db.debian.org

-- 
Chris.

Reply to:

Follow-Ups:
- Re: backports
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>

Prev by Date: Re: Apache: The requested URL / was not found on this server.
Next by Date: Keyboard sluggish in Etch, not Sid
Previous by thread: Re: Apache: The requested URL / was not found on this server.
Next by thread: Re: backports
Index(es):
- Date
- Thread