Re: backports
On Tue, Jul 03, 2007 at 09:55:20 +0100, Chris Lale wrote:
[...]
> It seems that this is an outstanding debian-keyring bug dating from 16 Feb 2005:
> #295527 "horribly outdated"[1].
>
> A bug reply mentions a local updated, unofficial version by Roland Stigge:
> debian-keyring_2006.10.11_all.deb[2] dated 11-Oct-2006. I downloaded and
> extracted it using your previous method:
>
> $ mkdir tempdir
> $ dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/
> $ mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg .
> $ rm -rf tempdir/
>
> Then I checked for 4B2B2B9E and got a match!
>
> $ gpg --no-default-keyring --keyring ~/downloads/debs/debian-keyring.gpg
> --check-sig 4B2B2B9E
> gpg: checking the trustdb
> gpg: public key 3C093EEF is 29789 seconds newer than the signature
I don't see this when I do the same. 8 hours difference; a timezone
configuration problem, maybe?
> gpg: public key of ultimately trusted key ECB41FF5 not found
The "ultimately trusted" key should be your own. Did you experiment with
gpg in the past and generate a key (pair) which you deleted again?
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
> pub 1024D/4B2B2B9E 2004-06-20
> uid Daniel Baumann
> [...]
> sig!3 307D56ED 2004-09-18 Noèl Köthe
> sig!3 9B7C328D 2005-03-30 Luk Claes
> sig!3 4B2B2B9E 2004-06-20 Daniel Baumann
> sig!3 4B2B2B9E 2004-06-20 Daniel Baumann
> [...]
> 1 bad signature
> 535 signatures not checked due to missing keys
>
> How well do you think I can trust this debian-keyring_2006.10.11_all.deb package?
It certainly increases trust if a key(ring) checks out from many
different sources. However, I think that the most important thing is
being able to verify signatures with the keys from the debian-keyring
package.
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295527
> [2] http://people.debian.org/~stigge/packages/
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
Reply to: