FWIW, apt's behavior with Release files with multiple signatures is the same as gpgv's:
[EMAIL PROTECTED]:~>gpgv --keyring ~/trusted.gpg Release.gpg Release gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <[EMAIL PROTECTED]>" gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]>" now if I remove the old key: [EMAIL PROTECTED]:~>gpgv --keyring ~/trusted.gpg Release.gpg Release gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 4F368D5D gpgv: Can't check signature: public key not found gpgv: Signature made Tue Jan 3 16:20:45 2006 EST using DSA key ID 2D230C5F gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]>" zsh: exit 2 gpgv --keyring ~/trusted.gpg Release.gpg Release So multiply signed Release files will also break d-i, which uses gpg as above. debootstrap, which also uses gpgv, parses the output of its --status-fd option, and will succeed as long as one signature is valid. I'm working on making d-i use the same technique as debootstrap now. -- see shy jo
signature.asc
Description: Digital signature