Joey Hess <[EMAIL PROTECTED]> writes: > Package: debmirror > Version: 20060907.1 > Severity: normal > > debmirror uses a different method to validate the signatures on Release > files than do apt, network-retreiver, etc. debmirror's method fails if > the Release file is signed by any one unknown key, even if it has other > valid sigs from known keys, as happened recently. The correct method > does not have this problem, and works as follows: > > gpgv --no-tty --status-fd 1 Release.gpg Release | read_gpg_status > > Where a shell version of read_gpg_status is this: > > read_gpg_status() { > while read prefix keyword rest; do > [ "$prefix" = '[GNUPG:]' ] || continue > if [ "$keyword" = VALIDSIG ]; then > exit 0 > fi > done > exit 1 > } > > Any single valid signature is enough.
You mentioned this on irc but thanks for filing a reminder bug so I won't forget. This should make into the "Lenny is watching you" release that is pending. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]