Re: debian unofficial key problems

To: debian-user@lists.debian.org
Subject: Re: debian unofficial key problems
From: Florian Kulzer <florian.kulzer+debian@icfo.es>
Date: Sat, 22 Mar 2008 23:12:00 +0100
Message-id: <[🔎] 20080322221200.GA4163@pc0197>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 13b70780803220950y11823a99v5229101d5ba53ea2@mail.gmail.com>
References: <[🔎] 13b70780803220950y11823a99v5229101d5ba53ea2@mail.gmail.com>

[ Note: I edited all the output below, removing the email addresses. ]

On Sat, Mar 22, 2008 at 16:50:17 +0000, Frank Wilson wrote:
> I'm using the unofficial repository for some packages but I keep
> getting the following error
> whenever I run "aptitude update":
> 
> W: GPG error: http://ftp.debian-unofficial.org testing Release: The
> following signatures couldn't be verified because the public key is
> not available: NO_PUBKEY 394D199524C52AC3
> 
> I tried registering the public key for this repo locally, but the
> above suggest to me this hasn't worked. (I've re-run "aptitude update"
> several times since I added the key)
> 
> There is however an entry for debian-unofficial in my "apt-key list" output:
> 
> pub   1024D/FDB8D39A 2008-01-02 [expires: 2009-02-01]
> uid                  Debian Unofficial Archive Automatic Signing Key (2008) <...>
> sub   2048g/5A17668F 2008-01-02 [expires: 2009-02-01]
> 
> Which seems to correspond with this:
> 
> http://www.debian-unofficial.org/faq.html
> 
> Any idea what I am doing wrong?

The key that apt is complaining about is their 2007 signing key: 

$ gpg --recv-keys 394D199524C52AC3
gpg: requesting key 24C52AC3 from hkp server subkeys.pgp.net
gpg: key 24C52AC3: public key "Debian Unofficial Archive Automatic Signing Key (2007) <...>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-key 394D199524C52AC3
pub   1024D/24C52AC3 2007-01-24 [expired: 2008-02-01]
uid                  Debian Unofficial Archive Automatic Signing Key (2007) <...>

If it does not bother you that they sign their current Release file(s)
with an expired key then you can add the old key to your apt keyring and
the message will stop. It is reassuring that it is at least possible to
establish a chain of trust from the 2007 key to the official Debian
keyring: The 24C52AC3 key is signed by Daniel Baumann, who is a Debian
developer. (Of course, you cannot and should not trust me, so you have
to verify this yourself if you want to take security seriously.)

If you prefer to download the key from their website instead of using
the gpg command above then you have to replace "2008" with "2007" in the
wget URL that they give in their FAQ.

-- 
Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |

Reply to:

References:
- debian unofficial key problems
  - From: "Frank Wilson" <fajwilson@gmail.com>

Prev by Date: Re: Screen resolution amd64 and NVIDIA GeForce 6150 LE
Next by Date: Re: DELL Inspiron 530N
Previous by thread: debian unofficial key problems
Next by thread: DELL Inspiron 530N
Index(es):
- Date
- Thread