[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: backports

On Mon, Jul 02, 2007 at 11:35:19 +0100, Chris Lale wrote:

[ snip: discussion about how to check keys for unofficial repositories ]

> This works fine for backports.org and debian-multimedia.org. Unfortunately, the
> keyring from debian-unofficial.org is not signed in the same way:
> 
> $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-unofficial-archive-keyring.gpg --list-sigs /usr/share/keyrings/debian-unofficial-archive-keyring.gpg
> ---------------------------------------------------------
> pub   1024D/24C52AC3 2007-01-24 [expires: 2008-02-01]
> uid                  Debian Unofficial Archive Automatic Signing Key (2007)
> sig 3        24C52AC3 2007-01-24  Debian Unofficial Archive Automatic Signing Key (2007)
> sig          4B2B2B9E 2007-01-24  [User ID not found]
> 
> There is no such sig as 4B2B2B9E on the debian-keyring
> 
> $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 4B2B2B9E
> gpg: error reading key: public key not found

Yes, it is strange that his key is not on the Debian keyring.

> or on a public keyserver
> 
> $ gpg --keyserver hkp://subkeys.pgp.net --list-key 4B2B2B9E
> gpg: error reading key: public key not found

That is a really annoying "feature" of gnupg: Neither "--list-key(s)"
nor "--search-key(s)" work reliably with key IDs (in my experience at
least); you have to use "--recv-key(s)":

$ gpg --keyserver hkp://subkeys.pgp.net --recv-keys 4B2B2B9E
gpg: requesting key 4B2B2B9E from hkp server subkeys.pgp.net
gpg: key 4B2B2B9E: public key "Daniel Baumann <email address>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

The key is added to your normal user's keyring directly.
 
> I think that the best one can do in this case is to take Daniel Baumann's name
> from the debian-unofficial website[1] and check that he has an entry in the
> Debian developer database[2].
> 
> [1] http://www.debian-unofficial.org/
> [2] http://db.debian.org

I would still check the signature on the Debian Unofficial key after you
have obtained Daniel Baumann's key. (You can get the 4B2B2B9E key from a
keyserver as shown above, or you can click on the fingerprint link in
the database [2] to download the key and use "gpg --import" on the
file.) Once the key is on your keyring you can run:

$ gpg --keyring ./debian-unofficial-archive-keyring.gpg --check-sigs 24C52AC3
pub   1024D/24C52AC3 2007-01-24 [expires: 2008-02-01]
uid                  Debian Unofficial Archive Automatic Signing Key (2007)
sig!3        24C52AC3 2007-01-24  Debian Unofficial Archive Automatic Signing Key (2007)
sig!         4B2B2B9E 2007-01-24  Daniel Baumann

However, since I obtained the 4B2B2B9E key from an untrusted source I
also want to check the signatures of other Debian developers on this
key:

$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 4B2B2B9E

[ snip: a lot of output ]

The signatures of more than 30 other Debian developers can be verified,
therefore it seems reasonable to trust this key and the archive signing
key.

-- 
Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |
Reply to: