Re: "missing pubkey" for buster-security

To: debian-user@lists.debian.org
Subject: Re: "missing pubkey" for buster-security
From: Ansgar Burchardt <"Ansgar Burchardt"@43-1.org>
Date: Mon, 06 May 2019 08:20:52 +0200
Message-id: <[🔎] 87ef5c14u3.fsf@43-1.org>
In-reply-to: <[🔎] 42b8d63e-8ca7-1754-40a1-95a85e1f7004@aixigo.de> (Harald Dunkel's message of "Mon, 6 May 2019 07:58:11 +0200")
References: <[🔎] 42b8d63e-8ca7-1754-40a1-95a85e1f7004@aixigo.de>

Harald Dunkel writes:
> I am running a local mirror of the security.debian.org
> repository for in-house use. It seems to be available for
> Buster as well, except that there is an error message
>
> ERROR: Condition '7638D0442B90D010' not fulfilled for
> '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease'.
> Signatures in '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease':
> '9D6D8F6BC857C906' (signed 2019-05-03): missing pubkey
> 'AA8E81B4331F7F50' (signed 2019-05-03): missing pubkey
> Error: Not enough signatures found for remote repository
> buster-security (http://security.debian.org buster/updates)!
> There have been errors!

These keys are already in the debian-archive-keyring package (in
testing/unstable):

+---
| $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --list-keys 7638D0442B90D010 9D6D8F6BC857C906 AA8E81B4331F7F50
| pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
|       126C0D24BD8A2942CC7DF8AC7638D0442B90D010
| uid           [  full  ] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
|
| pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
|       D21169141CECD440F2EB8DDA9D6D8F6BC857C906
| uid           [  full  ] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
|
| pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
|       6ED6F5CB5FA6FB2F460AE88EEDA0D2388AE22BA9
| uid           [  full  ] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
| sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
|       379483D8B60160B155B372DDAA8E81B4331F7F50
+---

Your condition requires the security archive to be signed with the
main archive key; that is wrong.

The 9/stretch keys are fairly new and were announced in [1].

  [1] https://lists.debian.org/debian-devel-announce/2019/04/msg00008.html

> These keys are unknown on keyserver as well:
>
> # apt-key adv --keyserver keyring.debian.org --recv-keys 9D6D8F6BC857C906

keyring.d.o only has developer keys, not any of the other keys Debian
might be using.  I recommend getting them either from the
debian-archive-keyring package or the locations referred to in the
announcement; they should also be available on other keyservers.

I would also recommend using the full fingerprint instead of shorter keyids.

Ansgar

Reply to:

Follow-Ups:
- Re: "missing pubkey" for buster-security
  - From: Harald Dunkel <harald.dunkel@aixigo.de>

References:
- "missing pubkey" for buster-security
  - From: Harald Dunkel <harald.dunkel@aixigo.de>

Prev by Date: "missing pubkey" for buster-security
Next by Date: Re: next amd64 stretch problem
Previous by thread: "missing pubkey" for buster-security
Next by thread: Re: "missing pubkey" for buster-security
Index(es):
- Date
- Thread