Re: debian unofficial key problems



[ Note: I edited all the output below, removing the email addresses. ]

On Sat, Mar 22, 2008 at 16:50:17 +0000, Frank Wilson wrote:
I'm using the unofficial repository for some packages but I keep
getting the following error
whenever I run "aptitude update":

W: GPG error: http://ftp.debian-unofficial.org testing Release: The
following signatures couldn't be verified because the public key is
not available: NO_PUBKEY 394D199524C52AC3

I tried registering the public key for this repo locally, but the
above suggest to me this hasn't worked. (I've re-run "aptitude update"
several times since I added the key)

There is however an entry for debian-unofficial in my "apt-key list" output:

pub 1024D/FDB8D39A 2008-01-02 [expires: 2009-02-01]
uid Debian Unofficial Archive Automatic Signing Key (2008) <...>
sub 2048g/5A17668F 2008-01-02 [expires: 2009-02-01]

Which seems to correspond with this:

http://www.debian-unofficial.org/faq.html

Any idea what I am doing wrong?

The key that apt is complaining about is their 2007 signing key:

$ gpg --recv-keys 394D199524C52AC3
gpg: requesting key 24C52AC3 from hkp server subkeys.pgp.net
gpg: key 24C52AC3: public key "Debian Unofficial Archive Automatic Signing Key (2007) <...>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --list-key 394D199524C52AC3
pub 1024D/24C52AC3 2007-01-24 [expired: 2008-02-01]
uid Debian Unofficial Archive Automatic Signing Key (2007) <...>

If it does not bother you that they sign their current Release file(s)
with an expired key then you can add the old key to your apt keyring and
the message will stop. It is reassuring that it is at least possible to
establish a chain of trust from the 2007 key to the official Debian
keyring: The 24C52AC3 key is signed by Daniel Baumann, who is a Debian
developer. (Of course, you cannot and should not trust me, so you have
to verify this yourself if you want to take security seriously.)

If you prefer to download the key from their website instead of using
the gpg command above then you have to replace "2008" with "2007" in the
wget URL that they give in their FAQ.

--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx