Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one

[Joshua Rodman <jrodman@debbugs.spamportal.net>]

On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> Fwiw, the Release.gpg file contains two signatures now, both one with the
> 2005 key and the 2006 key, to have a short transition period. The archive
> still validates with the 2005 key, which isn't expired yet, and I think APT
> should not spread too worrysome errors at users while the archive can still
> be verified.

Not to contradict you, since my understanding of these issues is
strongly limited, but apt seems to think that it cannot validate the
archive?

Running: su -c "apt-get upgrade"
[...]
The following packages will be upgraded:
  liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip
[...]
WARNING: The following packages cannot be authenticated!
  libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors

If understand that the whole release is what is signed, and that then
the urls in the release are therefore trusted (I assume with md5
checksum), then it seems APT does not beleive the release is signed with
the 2005 key, or does not know how to 'fall back' to the 2005 key.

-josh