why do we need old keys in our debian-archive-keyring ?
Dear all,
Please CC me while answering as I'm not subscribed to the list, sorry.
I was looking at the output of $ apt-key list
and saw the following -
$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
12D4 CD60 0C22 40A9 F4A8 2071 D7B0 B669 41D0 1538
uid [ unknown] riot.im packages <packages@riot.im>
sub rsa3072 2019-04-15 [S] [expires: 2021-04-14]
pub rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
AAF9 AE84 3A75 84B5 A3E4 CD2B CF45 A512 DE2D A058
uid [ unknown] matrix.org packages <packages@matrix.org>
sub rsa3072 2019-04-15 [S] [expires: 2021-04-14]
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
uid [ unknown] Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906
uid [ unknown] Debian Security Archive Automatic Signing Key
(8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ unknown] Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
uid [ unknown] Debian Security Archive Automatic Signing Key
(10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
uid [ unknown] Debian Stable Release Key (10/buster)
<debian-release@lists.debian.org>
It actually had slightly different values for the jessie and strech
keys (dates) which I deleted and then found I could not use apt update
as it gave errors such as -
The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY
04EE7237B7D453EC
The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY
AA8E81B4331F7F50
Then I searched and saw a forum post sharing that the
debian-archive-keyring is maybe not up-to-date.
I downloaded the latest from sid/unstable and using dpkg -I did the
installation although the latest would have migrated to buster
tomorrow itself according to tracker.debian.org/debian-archive-keyring
.
$ wget http://ftp.de.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1_all.deb
$ sudo dpkg -i debain-archive-keyring<TAB> for auto-completion
So now it showed -
$ apt-cache policy debian-archive-keyring
debian-archive-keyring:
Installed: 2019.1
Candidate: 2019.1
Version table:
*** 2019.1 500
500 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 Packages
100 /var/lib/dpkg/status
2018.1 990
990 http://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages
did that and tried again but still got the same errors as above.
Then I did -
root@debian:~# gpg --recv-keys 04EE7237B7D453EC
gpg: key E0B11894F66AEC98: 12 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic
Signing Key (9/stretch) <ftpmaster@debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
root@debian:~# gpg --export 04EE7237B7D453EC | apt-key add -
OK
I still got errors but less errors hence did the same procedure as above -
$ su -
Password:
root@debian:~# gpg --recv-keys 9D6D8F6BC857C906
gpg: key 9D6D8F6BC857C906: 13 signatures not checked due to missing keys
gpg: key 9D6D8F6BC857C906: public key "Debian Security Archive
Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
root@debian:~# gpg --export 9D6D8F6BC857C906 | apt-key add -
OK
now when I looked at apt-key list I see these two -
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
uid [ unknown] Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906
uid [ unknown] Debian Security Archive Automatic Signing Key
(8/jessie) <ftpmaster@debian.org>
I found it odd that the jessie and the stretch keys are and were being
used and couldn't understand why.
I also looked at the list of files in the package -
$ dpkg -L debian-archive-keyring
/.
/etc
/etc/apt
/etc/apt/trusted.gpg.d
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
/usr
/usr/share
/usr/share/doc
/usr/share/doc/debian-archive-keyring
/usr/share/doc/debian-archive-keyring/README
/usr/share/doc/debian-archive-keyring/changelog.gz
/usr/share/doc/debian-archive-keyring/copyright
/usr/share/keyrings
/usr/share/keyrings/debian-archive-buster-automatic.gpg
/usr/share/keyrings/debian-archive-buster-security-automatic.gpg
/usr/share/keyrings/debian-archive-buster-stable.gpg
/usr/share/keyrings/debian-archive-jessie-automatic.gpg
/usr/share/keyrings/debian-archive-jessie-security-automatic.gpg
/usr/share/keyrings/debian-archive-jessie-stable.gpg
/usr/share/keyrings/debian-archive-keyring.gpg
/usr/share/keyrings/debian-archive-removed-keys.gpg
/usr/share/keyrings/debian-archive-stretch-automatic.gpg
/usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
/usr/share/keyrings/debian-archive-stretch-stable.gpg
Find it strange that stretch and jessie keys are being used. Perhaps
for migration purposes from jessie or stretch to buster ?
I also saw the documentation
~$ cat /usr/share/doc/debian-archive-keyring/README
but it didn't tell me much that I didn't already know.
If I'm reading right, some 2.5 years from now, jessie will be dropped
but only stretch will remain if I'm on buster otherwise, if I'm on
bullseye, the new release then (i.e. bullseye) would have keys of
bullseye, buster and stretch.
Is that the way things work or am I missing, misunderstanding something ?
--
Regards,
Shirish Agarwal शिरीष अग्रवाल
My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
E493 D466 6D67 59F5 1FD0 930F 870E 9A5B 5869 609C
Reply to: