Re: Debian Archive Signing Key
Sent from my Samsung Galaxy smartphone. Original message From: "Jp.vanzyl" <jp.van...@yahoo.co.uk> Date: 18/09/2016 21:07 (GMT+02:00) To: Jvz22 <jpvanzy...@gmail.com>, Jvz4773 <jp.van...@yahoo.co.uk>, Jvz4773 <jp.vanzy...@gmail.com>, Jvz22 <ds...@jabberwocky.com> Subject: Debian Archive Signing Key Sent from my Samsung Galaxy smartphone.
Re: Debian Archive Signing Key to be changed
On Tue, Jun 09, 2009 at 04:01:17PM -0400, Ivan Jager wrote: It appears that http://ftp.debian.org/debian/dists/lenny/Release.gpg is only being signed with the new key, not the old, so it is not trusted. Lenny security updates are being signed with both keys, but there does not seem to be a newer version of debian-archive-keyring there, so I'm not sure what the trust path from the old key the new is supposed to be. From the announcement, it sounded like the Release file was supposed to be signed with both keys, but it isn't. I initially tried the Monday after the announcement, and thought it would most likely get fixed after a few days, but still no luck. For reference, on lenny an apt-get update ends with the following error: W: There is no public key available for the following key IDs: 9AA38DCD55BE302B W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B W: You may want to run apt-get update to correct these problems Of course if you then try to install the new debian-archive-keyring it gives you a big warning that it is untrusted. Actually it shouldn't. It's true that apt warns about a new signature that cannot be verified, but that shouldn't cause apt to think that the repository is untrusted, because there is still at least one trusted signature on it (the offline release key). So you should be able to upgrade debian-archive-keyring without a warning... Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:p...@0x539.de Wanna-Build Admin `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Re: Debian Archive Signing Key to be changed
On Wed, Jun 10, 2009 at 10:41:18AM +0200, Philipp Kern scribbled thusly: On Tue, Jun 09, 2009 at 04:01:17PM -0400, Ivan Jager wrote: It appears that http://ftp.debian.org/debian/dists/lenny/Release.gpg is only being signed with the new key, not the old, so it is not trusted. Lenny security updates are being signed with both keys, but there does not seem to be a newer version of debian-archive-keyring there, so I'm not sure what the trust path from the old key the new is supposed to be. From the announcement, it sounded like the Release file was supposed to be signed with both keys, but it isn't. I initially tried the Monday after the announcement, and thought it would most likely get fixed after a few days, but still no luck. For reference, on lenny an apt-get update ends with the following error: W: There is no public key available for the following key IDs: 9AA38DCD55BE302B W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B W: You may want to run apt-get update to correct these problems FWI, if I only have security.d.o in sources.list I only get the first and last warning, and it doesn't warn about unverified packages when installing. With ftp.us.d.o I also get the second warning and later it does complain when I try to install packages. Of course if you then try to install the new debian-archive-keyring it gives you a big warning that it is untrusted. Actually it shouldn't. It's true that apt warns about a new signature that cannot be verified, but that shouldn't cause apt to think that the repository is untrusted, because there is still at least one trusted signature on it (the offline release key). Ok, something funny is definitely going on. Running gpg on security.debian.org_dists_lenny_updates_Release.gpg shows both signatures, whereas running gpg on ftp.us.debian.org_debian_dists_lenny_Release.gpg warns that gpg: WARNING: multiple signatures detected. Only the first will be checked. and of course that happens to be the 55BE302B signature. Anyways, I worked around the problem on that machine by copying the keys from a squeeze box that I trust (which is why I have a *_lenny_Release.gpg file now), but I can still reproduce the problem on an etch machine, which I will most likely upgrade after this is solved. For reference, here is the output of GPG: On lenny (with the keys copied from squeeze): kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg security.debian.org_dists_lenny_updates_Release.gpg Detached signature. Please enter name of data file: No such file, try again or hit enter to quit. Please enter name of data file: security.debian.org_dists_lenny_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using RSA key ID 55BE302B gpg: Good signature from Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B gpg: Signature made Tue 09 Jun 2009 03:29:57 PM EDT using DSA key ID 6070D3A1 gpg: Good signature from Debian Archive Automatic Signing Key (4.0/etch) ftpmas...@debian.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A999 51DA F9BB 569B DB50 AD90 A70D AF53 6070 D3A1 kestrel:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg ftp.us.debian.org_debian_dists_lenny_Release.gpg gpg: WARNING: multiple signatures detected. Only the first will be checked. Detached signature. Please enter name of data file: ftp.us.debian.org_debian_dists_lenny_Release gpg: Signature made Sat 23 May 2009 01:31:55 PM EDT using RSA key ID 55BE302B gpg: Good signature from Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B And on etch without the new keys installed: explorer:/var/lib/apt/lists# gpg --keyring /etc/apt/trusted.gpg Detached signature. Please enter name of data file: security.debian.org_dists_etch_updates_Release gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using RSA key ID 55BE302B gpg: Can't check signature: public key not found gpg: Signature made Tue 09 Jun 2009 03:29:56 PM EDT using DSA key ID 6070D3A1 gpg: Good signature from Debian Archive Automatic Signing Key (4.0/etch) ftpmas...@debian.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to
Re: Debian Archive Signing Key to be changed
Hi, It appears that http://ftp.debian.org/debian/dists/lenny/Release.gpg is only being signed with the new key, not the old, so it is not trusted. Lenny security updates are being signed with both keys, but there does not seem to be a newer version of debian-archive-keyring there, so I'm not sure what the trust path from the old key the new is supposed to be. From the announcement, it sounded like the Release file was supposed to be signed with both keys, but it isn't. I initially tried the Monday after the announcement, and thought it would most likely get fixed after a few days, but still no luck. For reference, on lenny an apt-get update ends with the following error: W: There is no public key available for the following key IDs: 9AA38DCD55BE302B W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B W: You may want to run apt-get update to correct these problems Of course if you then try to install the new debian-archive-keyring it gives you a big warning that it is untrusted. Anyways, sorry if I'm sending this to the wrong place, but I hope you guys can fix it. Thanks, Ivan On Sat, May 23, 2009 at 08:15:11PM +0200, Alexander Reichle-Schmehl scribbled thusly: The Debian Projecthttp://www.debian.org/ Debian Archive Signing Key to be changedpr...@debian.org Mai 23rd, 2009 http://www.debian.org/News/2009/20090523 Debian Archive Signing Key to be changed The Debian Project wishes to announce the change of the GNU Privacy Guard key used to digitaly sign its archive reference files. Signatures are used to ensure that packages installed by users are the very same originally distributed by Debian, and have not been exchanged or tempered with. Affected distributions are the Debian unstable branch (codenamed Sid) as well as the testing branch (codenamed Squeeze). The current stable version Debian GNU/Linux 5.0 (codenamed Lenny) and the current oldstable version Debian GNU/Linux 4.0 (codenamed Etch) will have their ftpmaster signature updated too. The release managers signature stays untouched. The currently used key will expire soon. The new key has already been distributed via the debian-archive-keyring package. For users of the current stable release Debian GNU/Linux 5.0 (codenamed Lenny) no action is required from the user side, since Debian GNU/Linux 5.0 (codenamed Lenny) was already shipped with the new key. Users of the current oldstable release Debian GNU/Linux 4.0 (codenames Etch) should ensure to have upgraded to the lates point release 4.0r8 which added an upgraded package containing the new key. Users of Debian's testing branch (codenamed Squeeze) and Debian's unstable branch (codenamed Sid) should ensure to have at least version 2009.01.31 of the debian-archive-keyring package installed. Starting with the next mirror update this evening and for the next three weeks the archive will be digitally signed by both the old and the new key. Starting with the 13th of June only the new key will be used. For reference, the old key is pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01] uid Debian Archive Automatic Signing Key (4.0/etch) ftpmas...@debian.org and the new one pub 4096R/55BE302B 2009-01-27 [expires: 2012-12-31] uid Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org This key rollover is a normal maintainance task and was started in January. For security reasons Debian's archive signing keys regularily expire after three years. About Debian The Debian project is an organisation of many developers who volunteer their time and effort, collaborating via the Internet. Their tasks include maintaining and updating Debian GNU/Linux which is a free distribution of the GNU/Linux operating system. Debian's dedication to Free Software, its non-profit nature, and its open development model makes it unique among GNU/Linux distributions. Contact Information For further information, please send email to the Debian Press Team pr...@debian.org or visit the Debian homepage at http://www.debian.org/. -- To UNSUBSCRIBE, email to debian-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org