also sprach Michael Vogt <mvo@debian.org> [2009.04.09.0058 +0200]: > I merged the diff into the apt debian-sid tree and will upload soon. I > would love to have some positivie test feedback before I do the > upload. I just tried in a chroot and it doesn't look good: pulse:~# apt-cache policy apt apt: Installed: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1 Candidate: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1 Version table: *** 0.7.21~exp2~~mvo-gpgv-sigexpiry.1 0 500 http://debian.madduck.net sid/main Packages 100 /var/lib/dpkg/status 0.7.20.2 0 500 http://ftp.ch.debian.org sid/main Packages pulse:~# apt-get update Get:1 http://debian.madduck.net sid Release.gpg [197B] Hit http://debian.madduck.net sid Release Err http://debian.madduck.net sid Release Get:2 http://debian.madduck.net sid Release [9914B] Ign http://debian.madduck.net sid Release Ign http://debian.madduck.net sid/main Packages/DiffIndex Ign http://debian.madduck.net sid/main Sources/DiffIndex Ign http://debian.madduck.net sid/main Packages Ign http://debian.madduck.net sid/main Sources Hit http://ftp.ch.debian.org sid Release.gpg Hit http://debian.madduck.net sid/main Packages Hit http://debian.madduck.net sid/main Sources Hit http://ftp.ch.debian.org sid Release Hit http://ftp.ch.debian.org sid/main Packages/DiffIndex Hit http://ftp.ch.debian.org sid/main Sources/DiffIndex Fetched 10.1kB in 0s (11.7kB/s) Reading package lists... Done W: GPG error: http://debian.madduck.net sid Release: The following signatures were invalid: KEYEXPIRED 1182334739 W: You may want to run apt-get update to correct these problems But the key is not expired: pulse:~# wget -q http://debian.madduck.net/repo/gpg/a4ba872bd5b9e51e.key.asc http://debian.madduck.net/repo/dists/sid/Release{,.gpg} pulse:~# gpg --import < a4ba872bd5b9e51e.key.asc gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key D5B9E51E: public key "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found pulse:~# gpg --verify Release.gpg Release gpg: Signature made Tue Apr 7 16:36:50 2009 UTC using DSA key ID D5B9E51E gpg: Good signature from "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5726 0E2A 6376 CB44 1AE9 0B77 A4BA 872B D5B9 E51E pulse:~# gpg --list-keys a4ba872bd5b9e51e pub 1024D/D5B9E51E 2006-06-07 [expires: 2010-06-30] uid madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net> But at least I am now asked when I try to install packages from the archive: WARNING: The following packages cannot be authenticated! apt Install these packages without verification [y/N]? -- .''`. martin f. krafft <madduck@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems "driving with a destination is like having sex to have children" -- backwater wayne miller
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)