Re: backports
- To: debian-user@lists.debian.org
- Subject: Re: backports
- From: Chris Lale <chrislale@untrammelled.co.uk>
- Date: Mon, 02 Jul 2007 11:35:19 +0100
- Message-id: <[🔎] 4688D4E7.9030204@untrammelled.co.uk>
- In-reply-to: <20070627213431.GA7390@localhost>
- References: <921460.65725.qm@web58904.mail.re1.yahoo.com> <467CE0D9.2080905@untrammelled.co.uk> <20070623160324.GA14166@dementia.proulx.com> <467D4A23.1080002@untrammelled.co.uk> <20070623230745.GA4063@localhost> <467E231D.2050406@untrammelled.co.uk> <20070624101026.GA4439@localhost> <46828FE3.2030807@untrammelled.co.uk> <20070627213431.GA7390@localhost>
Florian Kulzer wrote:
[...]
>
> Here is a procedure for paranoid people, starting after your step 2; all
> these commands should be run as an unprivileged user. (The key is
> extracted manually and added to the unprivileged user's keyring; then it
> can be checked without risk.)
>
> aptitude download debian-backports-keyring
> mkdir tempdir
> dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/
> mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg .
> rm -rf tempdir/
> gpg --import debian-backports-keyring.gpg
> gpg --list-sig 16BA136C
> gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 16BA136C
>
> If the key has a valid signature of a Debian developer then you can
> export it and add it to apt's key ring. (See my earlier mail.) After
> that you can install the desired backports packages, including the
> backports keyring package for convenience in case of future key updates.
>
> BTW, the debian-multimedia archive is a special case since Christian
> Marillat does not use a dedicated archive key; he signs the release
> files with his normal public key. This key is already included in the
> debian-keyring package, so you can simply (and safely) export the key
> from this keyring and feed it to apt:
>
> gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg -a --export 1F41B907 | sudo apt-key add -
>
This works fine for backports.org and debian-multimedia.org. Unfortunately, the
keyring from debian-unofficial.org is not signed in the same way:
$ gpg --no-default-keyring --keyring
/usr/share/keyrings/debian-unofficial-archive-keyring.gpg --list-sigs
/usr/share/keyrings/debian-unofficial-archive-keyring.gpg
---------------------------------------------------------
pub 1024D/24C52AC3 2007-01-24 [expires: 2008-02-01]
uid Debian Unofficial Archive Automatic Signing Key (2007)
<ftpmaster@debian-unofficial.org>
sig 3 24C52AC3 2007-01-24 Debian Unofficial Archive Automatic Signing
Key (2007) <ftpmaster@debian-unofficial.org>
sig 4B2B2B9E 2007-01-24 [User ID not found]
There is no such sig as 4B2B2B9E on the debian-keyring
$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg
--check-sig 4B2B2B9E
gpg: error reading key: public key not found
or on a public keyserver
$ gpg --keyserver hkp://subkeys.pgp.net --list-key 4B2B2B9E
gpg: error reading key: public key not found
I think that the best one can do in this case is to take Daniel Baumann's name
from the debian-unofficial website[1] and check that he has an entry in the
Debian developer database[2].
[1] http://www.debian-unofficial.org/
[2] http://db.debian.org
--
Chris.
Reply to:
- Follow-Ups:
- Re: backports
- From: Florian Kulzer <florian.kulzer+debian@icfo.es>