Package: apt Version: 3.0.3 Severity: serious When a repository is configured in /etc/apt/sources.list.d/repo.sources with "Signed-By:" listing multiple keyrings, apt 2.9.16 was comfortable with one of the keyrings not existing. In apt 3.0.3, the same configuration leads to a failure to update the Release/Packages/Sources for that repository.
Since this is a regression, I marked this as serious. But feel free to downgrade it, based on the documentation saying that the keyring files have to be accessible (which implies they must exist). Side note: It would be nice if the sources.list.5 manpage would include an example of Signed-By with a fingerprint specified. The syntax of doing so is currently unclear to me. Relevant file looks like this (URI and actual filenames stripped): Types: deb URIs: https://<internal_mirror> Suites: trixie Components: main Signed-by: /usr/share/keyrings/existing-keyring.gpg /usr/share/keyrings/missing-keyring.gpg As said above: That worked with apt 2.9.16, it fails in 3.0.3 (not sure about intermediate versions, but I assume this was introduced with 2.9.19 (switch to sequoia on supported platforms). Kind regards, Sven
