Harald Dunkel writes: > I am running a local mirror of the security.debian.org > repository for in-house use. It seems to be available for > Buster as well, except that there is an error message > > ERROR: Condition '7638D0442B90D010' not fulfilled for > '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease'. > Signatures in > '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease': > '9D6D8F6BC857C906' (signed 2019-05-03): missing pubkey > 'AA8E81B4331F7F50' (signed 2019-05-03): missing pubkey > Error: Not enough signatures found for remote repository > buster-security (http://security.debian.org buster/updates)! > There have been errors!
These keys are already in the debian-archive-keyring package (in testing/unstable): +--- | $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --list-keys 7638D0442B90D010 9D6D8F6BC857C906 AA8E81B4331F7F50 | pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19] | 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 | uid [ full ] Debian Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> | | pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19] | D21169141CECD440F2EB8DDA9D6D8F6BC857C906 | uid [ full ] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> | | pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20] | 6ED6F5CB5FA6FB2F460AE88EEDA0D2388AE22BA9 | uid [ full ] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmas...@debian.org> | sub rsa4096 2017-05-22 [S] [expires: 2025-05-20] | 379483D8B60160B155B372DDAA8E81B4331F7F50 +--- Your condition requires the security archive to be signed with the main archive key; that is wrong. The 9/stretch keys are fairly new and were announced in [1]. [1] https://lists.debian.org/debian-devel-announce/2019/04/msg00008.html > These keys are unknown on keyserver as well: > > # apt-key adv --keyserver keyring.debian.org --recv-keys 9D6D8F6BC857C906 keyring.d.o only has developer keys, not any of the other keys Debian might be using. I recommend getting them either from the debian-archive-keyring package or the locations referred to in the announcement; they should also be available on other keyservers. I would also recommend using the full fingerprint instead of shorter keyids. Ansgar