On Tue, Nov 23, 2021 at 04:24:21PM +0100, john doe wrote: > $gpg --keyserver keyring.debian.org --keyserve > r-options auto-key-retrieve --verify Release.gpg Release
The keyserver you're using holds developer's keys, not others like the role keys. From a Debian system and for the bullseye release file: $ gpg --no-default-keyring --no-auto-check-trustdb --keyring /usr/share/keyrings/debian-archive-bullseye-stable.gpg --verify Release.gpg Release [.. gpg noise ..] gpg: Signature made Sat 09 Oct 2021 10:49:02 BST gpg: using RSA key A4285295FC7B1A81600062A9605C66F00D6C9793 gpg: issuer "debian-release@lists.debian.org" gpg: Good signature from "Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793 Substitute other keyrings for different suites. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
