Re: Empty Release.gpg files and Debian Archive key for 2005
- To: debian-security@lists.debian.org
- Subject: Re: Empty Release.gpg files and Debian Archive key for 2005
- From: Christian Jaeger <christian.jaeger@ethlife.ethz.ch>
- Date: Wed, 2 Feb 2005 12:21:38 +0100
- Message-id: <p04320475be265a2d132d@[192.168.40.11]>
- In-reply-to: <87vf9gknod.fsf@deneb.enyo.de>
- References: <41FBB2B7.4010206@mimuw.edu.pl> <87vf9gknod.fsf@deneb.enyo.de>
Hello.
Note: maybe replace "apt-secure" with "apt/experimental" below since
the package isn't called apt-secure, it's called apt and available
from experimental.
Firstly: I'm spending much more time handling apt-secure than I'd
like, just because I'm not getting the relevant information. It would
really help if there would be a central place for getting
information. When are the new keys released, by whom, where are they
announced? Ok they are released now, and I've found out where (see
"wget" below), but it came as a surprise and coupled with other
problems.
At 16:58 Uhr +0100 29.01.2005, Michal J. Gajda wrote:
I'm probably not the only one to notice, that Release.gpg files for
unstable and
testing are empty,
Yes, I've seen that as well. (And apt-secure from experimental seemed
to choke on that, it didn't give any sensible error message until I
tried apt-get update -o Debug::Acquire::gpgv=yes)
and that Debian Archive key for 2005 seems not to appear in
/usr/share/apt/debian-archive.gpg.
"Hum, I thought they are, on purpose, not included there, since the
archive signing keys are not maintainer keys" -- ehr, I realize
you're not talking about the debian-keyring package. I wasn't aware
that there's such a file on the system. Hm, it's from the apt
package. (How would I be able to upgrade to a newer apt package
containing the new key if apt doesn't work anymore because of the
missing key?.. apt would need the new key long before it was actually
in use on the debian archives, so that users have the new key
installed in time. And how to handle that when sarge is stable, will
a newer apt be offered as part of security updates? Shouldn't the
above keyring be offered in a package separate from apt?)
When can I hope new Debian Archive for 2005 to appear?
Who can fix the problem?
Is there a workaround? (Some way to use apt and verify packages by myself?)
From what I've read in the apt-secure docs (it seems they are
currently at http://www.syntaxpolice.org/apt-secure/index.html ?) you
should add the key to /etc/apt/trusted.gpg.
# cd /etc/apt/
# gpg --no-default-keyring --keyring ./trusted.gpg --list-keys
--with-fingerprint
..Debian Archive Automatic Signing Key (2004)..
# wget 'http://ftp-master.debian.org/ziyi_key_2005.asc'
# gpg --no-default-keyring --with-fingerprint ziyi_key_2005.asc
pub 1024D/4F368D5D 2005-01-31 Debian Archive Automatic Signing Key
(2005) <ftpmaster@debian.org>
Schl.-Fingerabdruck = 4C7A 8E5E 9454 FE3F AE1E 78AD F1D5 3D8C 4F36 8D5D
# gpg --no-default-keyring --keyring ./trusted.gpg --import ziyi_key_2005.asc
..Debian Archive Automatic Signing Key (2005)..importiert
At 21:03 Uhr +0100 29.01.2005, Florian Weimer wrote:
* Michal J. Gajda:
When can I hope new Debian Archive for 2005 to appear?
Who can fix the problem?
I've suggested to the ftp-masters to add a new self-signature to the
2004 key as a temporary measure. This should fix the Release file
signing.
Hm, I can't make any sense of this statement. If you don't have the
public key, no self-signature will help at all. And even if
apt-secure would fetch the key from somewhere and trust it because of
some signature: if it is made right, it should complain about missing
real signature. So why would a self-signature help?
I feel there's a lack of a central source of information about all
the public key related topics around Debian. I can't find any info on
www.debian.org. I realize there is http://wiki.debian.net, maybe that
would be a place to start such a page?
- Who is doing what in the apt-secure, package archive signing keys,
...? Is there a leader?
- what's the status of apt-secure? Will it enter Debian soon? Will it later?
- it seems that other Debian based distributions are already using
apt-secure (while googling, I've found a blog where someone is
explaining how to solve the key issues and he didn't sound like he
installed apt-secure himself). Is that true? Any links about how they
are doing it?
(One should also mention the other 'solutions' out there for
signature checking (some shellscripts are/have been floating around
some time ago). And mention how to check source packages. ...)
---
Lastly: it seems, that currently the woody archive is broken. A
Release.gpg file is there, created with the 2005 key, but it's
signature doesn't match the Release file.
- Is this a bug in the master server?
- Is it because not both files have been mirrored at the same time?
(I'm using de.debian.org server). Is it a general problem of
apt-secure?.
Christian.
Reply to: