On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote: > On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote: > > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote: > > > Fwiw, the Release.gpg file contains two signatures now, both one with the > > > 2005 key and the 2006 key, to have a short transition period. The archive > > > still validates with the 2005 key, which isn't expired yet, and I think > > > APT > > > should not spread too worrysome errors at users while the archive can > > > still > > > be verified. > > > > Not to contradict you, since my understanding of these issues is > > strongly limited, but apt seems to think that it cannot validate the > > archive? > > I know, I said "should", because I believe apt should deal with the > multiple signatures correctly, instead of the current behaviour of (it > seems) only looking at the last one and/or requiring all signatures to > verify. > > Apt needs to be satisfied with just at least one of the multiple > signatures verifying, so that there can be turnover periods, and for > example third party repositories can have multiple signatures too, for > certain circumstances.
Sorry for the late reply. I'm working on fixing the gpgv method to properly support multiple signatures right now and will (hopefully) do a upload really soon. Cheers, Michael -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
