On Mon, Jul 02, 2007 at 11:35:19 +0100, Chris Lale wrote: [ snip: discussion about how to check keys for unofficial repositories ]
> This works fine for backports.org and debian-multimedia.org. Unfortunately, > the > keyring from debian-unofficial.org is not signed in the same way: > > $ gpg --no-default-keyring --keyring > /usr/share/keyrings/debian-unofficial-archive-keyring.gpg --list-sigs > /usr/share/keyrings/debian-unofficial-archive-keyring.gpg > --------------------------------------------------------- > pub 1024D/24C52AC3 2007-01-24 [expires: 2008-02-01] > uid Debian Unofficial Archive Automatic Signing Key (2007) > sig 3 24C52AC3 2007-01-24 Debian Unofficial Archive Automatic Signing > Key (2007) > sig 4B2B2B9E 2007-01-24 [User ID not found] > > There is no such sig as 4B2B2B9E on the debian-keyring > > $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg > --check-sig 4B2B2B9E > gpg: error reading key: public key not found Yes, it is strange that his key is not on the Debian keyring. > or on a public keyserver > > $ gpg --keyserver hkp://subkeys.pgp.net --list-key 4B2B2B9E > gpg: error reading key: public key not found That is a really annoying "feature" of gnupg: Neither "--list-key(s)" nor "--search-key(s)" work reliably with key IDs (in my experience at least); you have to use "--recv-key(s)": $ gpg --keyserver hkp://subkeys.pgp.net --recv-keys 4B2B2B9E gpg: requesting key 4B2B2B9E from hkp server subkeys.pgp.net gpg: key 4B2B2B9E: public key "Daniel Baumann <email address>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 1m, 0f, 0u gpg: Total number processed: 1 gpg: imported: 1 The key is added to your normal user's keyring directly. > I think that the best one can do in this case is to take Daniel Baumann's name > from the debian-unofficial website[1] and check that he has an entry in the > Debian developer database[2]. > > [1] http://www.debian-unofficial.org/ > [2] http://db.debian.org I would still check the signature on the Debian Unofficial key after you have obtained Daniel Baumann's key. (You can get the 4B2B2B9E key from a keyserver as shown above, or you can click on the fingerprint link in the database [2] to download the key and use "gpg --import" on the file.) Once the key is on your keyring you can run: $ gpg --keyring ./debian-unofficial-archive-keyring.gpg --check-sigs 24C52AC3 pub 1024D/24C52AC3 2007-01-24 [expires: 2008-02-01] uid Debian Unofficial Archive Automatic Signing Key (2007) sig!3 24C52AC3 2007-01-24 Debian Unofficial Archive Automatic Signing Key (2007) sig! 4B2B2B9E 2007-01-24 Daniel Baumann However, since I obtained the 4B2B2B9E key from an untrusted source I also want to check the signatures of other Debian developers on this key: $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 4B2B2B9E [ snip: a lot of output ] The signatures of more than 30 other Debian developers can be verified, therefore it seems reasonable to trust this key and the archive signing key. -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
