FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:

[EMAIL PROTECTED]:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <[EMAIL 
PROTECTED]>"
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <[EMAIL 
PROTECTED]>"

now if I remove the old key:

[EMAIL PROTECTED]:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <[EMAIL 
PROTECTED]>"
zsh: exit 2     gpgv --keyring ~/trusted.gpg Release.gpg Release

So multiply signed Release files will also break d-i, which uses gpg
as above.

debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.

I'm working on making d-i use the same technique as debootstrap now.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to