Michael Gilbert <mgilb...@debian.org> (2014-08-08): > package: src:debian-archive-keyring > severity: serious > version: 2012.4 > tags: security > > The archive keyring package is currently signed by Philip Kern's old > removed key. > > Since this package contains the keys to archive, it really needs a > valid signature. > > $ apt-get source debian-archive-keyring --download-only
Well, surely this is using the apt cache, with Release files and GPG signatures all over the placeā¦ > $ dpkg-source -x --require-valid-signature debian-archive-keyring_2012.4.dsc > gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8 > gpgv: Can't check signature: public key not found > dpkg-source: error: failed to verify signature on > ./debian-archive-keyring_2012.4.dsc which makes this extra check moot? (Also, I don't see why this particular source package would be special and would need a specific handling as far as its signature goes.) Mraw, KiBi.
signature.asc
Description: Digital signature
