On Mon 2018-11-05 13:02:33 +0100, Guido Günther wrote: > the release file at > > http://security.debian.org/debian-security/dists/buster/updates/ > > is signed by wheezy's key 8B48AD6246925553 which is no longer in > debian-archive-keyring. This makes new installations fail that already > enable the above security archive.
The buster security archive is no longer signed with wheezy's key, but it's signed with jessie's key: ------------ 0 dkg@alice:~$ wget -q -O- 'http://security.debian.org/debian-security/dists/buster/updates/Release.gpg' | gpg --list-packets # off=0 ctb=89 tag=2 hlen=3 plen=563 :signature packet: algo 1, keyid 9D6D8F6BC857C906 version 4, created 1551171107, md5len 0, sigclass 0x00 digest algo 8, begin of digest 32 ef hashed subpkt 33 len 21 (issuer fpr v4 D21169141CECD440F2EB8DDA9D6D8F6BC857C906) hashed subpkt 2 len 4 (sig created 2019-02-26) subpkt 16 len 8 (issuer key ID 9D6D8F6BC857C906) data: [4096 bits] 0 dkg@alice:~$ gpg --list-keys D21169141CECD440F2EB8DDA9D6D8F6BC857C906 pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19] D21169141CECD440F2EB8DDA9D6D8F6BC857C906 uid [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org> 0 dkg@alice:~$ ------------ I would have expected it to be signed with key 6ED6F5CB5FA6FB2F460AE88EEDA0D2388AE22BA9 (the security archive signing key for stretch) instead. or, at least, signed by both of the keys. I'm using explicit signed-by= options in my sources.list file on buster installations, and it's very odd that i need to have: deb [signed-by=/usr/share/keyrings/debian-archive-jessie-security-automatic.gpg] http://security.debian.org/debian-security buster/updates main --dkg
signature.asc
Description: PGP signature