Package: apt Version: 1.8.4 I notice that if i have an ASCII-armored OpenPGP certificate (a.k.a. RFC 4880 "Transferable Public Key") in a file named /srv/foo.asc, and i have a sources.list line with a "[signed-by=/srv/foo.asc]" option, apt can happily use it just fine. but if the same file is named "/srv/foo.gpg" then apt fails to verify the InRelease file, with error messages like: W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: … InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY … W: Failed to fetch … The following signatures couldn't be verified because the public key is not available: NO_PUBKEY … If apt fails in this way, it might be nice to just peek at the first handful of bytes of /srv/foo.gpg to see whether it begins with: -----BEGIN PGP PUBLIC KEY BLOCK----- and if it does, then treat it the same way it treats an *.asc file. That would certainly be more user-friendly. Thanks for your work on apt! --dkg
Attachment:
signature.asc
Description: PGP signature