also sprach Michael Vogt <mvo@debian.org> [2009.04.09.0058 +0200]:
> I merged the diff into the apt debian-sid tree and will upload soon. I
> would love to have some positivie test feedback before I do the
> upload.
I just tried in a chroot and it doesn't look good:
pulse:~# apt-cache policy apt
apt:
Installed: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1
Candidate: 0.7.21~exp2~~mvo-gpgv-sigexpiry.1
Version table:
*** 0.7.21~exp2~~mvo-gpgv-sigexpiry.1 0
500 http://debian.madduck.net sid/main Packages
100 /var/lib/dpkg/status
0.7.20.2 0
500 http://ftp.ch.debian.org sid/main Packages
pulse:~# apt-get update
Get:1 http://debian.madduck.net sid Release.gpg [197B]
Hit http://debian.madduck.net sid Release
Err http://debian.madduck.net sid Release
Get:2 http://debian.madduck.net sid Release [9914B]
Ign http://debian.madduck.net sid Release
Ign http://debian.madduck.net sid/main Packages/DiffIndex
Ign http://debian.madduck.net sid/main Sources/DiffIndex
Ign http://debian.madduck.net sid/main Packages
Ign http://debian.madduck.net sid/main Sources
Hit http://ftp.ch.debian.org sid Release.gpg
Hit http://debian.madduck.net sid/main Packages
Hit http://debian.madduck.net sid/main Sources
Hit http://ftp.ch.debian.org sid Release
Hit http://ftp.ch.debian.org sid/main Packages/DiffIndex
Hit http://ftp.ch.debian.org sid/main Sources/DiffIndex
Fetched 10.1kB in 0s (11.7kB/s)
Reading package lists... Done
W: GPG error: http://debian.madduck.net sid Release: The following signatures were invalid: KEYEXPIRED 1182334739
W: You may want to run apt-get update to correct these problems
But the key is not expired:
pulse:~# wget -q http://debian.madduck.net/repo/gpg/a4ba872bd5b9e51e.key.asc http://debian.madduck.net/repo/dists/sid/Release{,.gpg}
pulse:~# gpg --import < a4ba872bd5b9e51e.key.asc
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D5B9E51E: public key "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
pulse:~# gpg --verify Release.gpg Release
gpg: Signature made Tue Apr 7 16:36:50 2009 UTC using DSA key ID D5B9E51E
gpg: Good signature from "madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5726 0E2A 6376 CB44 1AE9 0B77 A4BA 872B D5B9 E51E
pulse:~# gpg --list-keys a4ba872bd5b9e51e
pub 1024D/D5B9E51E 2006-06-07 [expires: 2010-06-30]
uid madduck's archive signing key (http://debian.madduck.net/repo) <archive@debian.madduck.net>
But at least I am now asked when I try to install packages from the
archive:
WARNING: The following packages cannot be authenticated!
apt
Install these packages without verification [y/N]?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
"driving with a destination
is like having sex to have children"
-- backwater wayne miller
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)