Re: debian unofficial key problems

[ Note: I edited all the output below, removing the email addresses. ]

On Sat, Mar 22, 2008 at 16:50:17 +0000, Frank Wilson wrote:
I'm using the unofficial repository for some packages but I keep
getting the following error
whenever I run "aptitude update":

W: GPG error: testing Release: The
following signatures couldn't be verified because the public key is
not available: NO_PUBKEY 394D199524C52AC3

I tried registering the public key for this repo locally, but the
above suggest to me this hasn't worked. (I've re-run "aptitude update"
several times since I added the key)

There is however an entry for debian-unofficial in my "apt-key list" output:

pub 1024D/FDB8D39A 2008-01-02 [expires: 2009-02-01]
uid Debian Unofficial Archive Automatic Signing Key (2008) <...>
sub 2048g/5A17668F 2008-01-02 [expires: 2009-02-01]

Which seems to correspond with this:

Any idea what I am doing wrong?

The key that apt is complaining about is their 2007 signing key:

$ gpg --recv-keys 394D199524C52AC3
gpg: requesting key 24C52AC3 from hkp server
gpg: key 24C52AC3: public key "Debian Unofficial Archive Automatic Signing Key (2007) <...>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --list-key 394D199524C52AC3
pub 1024D/24C52AC3 2007-01-24 [expired: 2008-02-01]
uid Debian Unofficial Archive Automatic Signing Key (2007) <...>

If it does not bother you that they sign their current Release file(s)
with an expired key then you can add the old key to your apt keyring and
the message will stop. It is reassuring that it is at least possible to
establish a chain of trust from the 2007 key to the official Debian
keyring: The 24C52AC3 key is signed by Daniel Baumann, who is a Debian
developer. (Of course, you cannot and should not trust me, so you have
to verify this yourself if you want to take security seriously.)

If you prefer to download the key from their website instead of using
the gpg command above then you have to replace "2008" with "2007" in the
wget URL that they give in their FAQ.

Regards, |
Florian |

To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: Encryption
    ... Also GPG does not use patented algorithms such as IDEA and until recently ... I don't know of any current GPG bugs. ... from using x.509 or the "Web of Trust". ... reason for his leaving NAI but he went to such great lengths to ensure you ...
  • Re: BK2CVS problem
    ... >> It makes me wonder if there is some way we can start using GPG signatures ... The words "web of trust" (signing GPG keys) come to mind. ...
  • Re: Signature debian CDs
    ... I downloaded the netinst CD image for the installation of debian. ... gpg: WARNING: This key is not certified with a trusted signature! ... GPG is warning you that it can't find a trust path from a key you trust ...
  • Re: Checking SHA256SUMS against SHA256SUMS.sign .
    ... gpg --verify SHA256SUMS.sign SHA256SUMS ... Now, under normal user: ... Good signature from "Debian Live Signing Key ... To trust a key, the following algorithm is used: ...
  • Re: trust update servers?
    ... I know its some kind of public key system... ... I trust an update source and add it, am I trusting Suse/Novell, or just ... are they just hosting files that are signed by the openSUSE team? ... all you need to do is import it into your own GPG key-ring. ...