On Tue 2011-03-15 04:03:42 -0400, Uwe Kleine-König wrote: > I'm about to change the gpg key used to sign our apt and so signed the > archive for now with two keys and will update the keyring package to > contain the new key soon. > > The "problem" I'm faced with now is that if apt only knows one of the > two keys used it prints a warning > > W: There is no public key available for the following key IDs: > ...
I agree that this warning is problematic. For most users who haven't thought about the issue, they'll take it as a problem that needs fixing, even when their system can already validate the particular files that they're trying to validate. As a result, they might try to track down and add an additional key to their apt keyring. A system that depends on a signature from any one of N+1 keys is by definition more vulnerable than a system that depends on a signature from any one of N keys, so this warning is actively encouraging debian system administrators to enlarge their attack surface. Consider a rogue mirror that redistributes the debian archive, but can add an additional OpenPGP signature in InRelease or Releases.gpg. If the mirror operator wanted to, they could mint a new OpenPGP certificate with a user ID like "Debian Archive Automatic Signing Key (8.0/jessie) <ftpmas...@debian.org>", and add that signature's keys to the InRelease file. This would be a legitimate debian archive, with an extra signature attached, but it would produce the above warnings. Any local admin who tries to "fix" the warning by importing that key will now be vulnerable to future attack by that mirror operator. A sensible admin who regularly prunes their apt-key list (e.g. removing the wheezy keys on systems that are well past wheezy) will find themselves incurring additional warnings. These warnings are actively bad for the security of debian systems, and should be muted entirely as long as the package lists successfully validate. If some download doesn't validate at all, then this information should be supplied, but as an error, not as a warning. --dkg