FWIW, apt's behavior with Release files with multiple signatures is the same as gpgv's: joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>" gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" now if I remove the old key: joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D gpgv: Can't check signature: public key not found gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" zsh: exit 2 gpgv --keyring ~/trusted.gpg Release.gpg Release So multiply signed Release files will also break d-i, which uses gpg as above. debootstrap, which also uses gpgv, parses the output of its --status-fd option, and will succeed as long as one signature is valid. I'm working on making d-i use the same technique as debootstrap now. -- see shy jo
Attachment:
signature.asc
Description: Digital signature