Hi, That is not correct. Missing key does not disable installation feature of package manager.
1. You can import key manually. Like this: sudo apt-key adv –keyserver subkeys.pgp.net –recv-keys XXXXXX 2. Even with non-imported key apt-get/aptitude will allow you to install software (including debian-keyring), though it will ask extra question if you trust this repository without key in your system like this: Requires installation of untrusted packages The action would require the installation of packages from unauthenticated sources. Or even you can avoid such mesage with --allow-unauthenticated option. -- wbr, rush. 17.10.2014, 20:30, "David Hubner" <david.hub...@smoothwall.net>: > Hi, > > I am just wondering about a hypothetical situation where the master GPG key > used for signing the debian archive was stolen. After creating a new master > key and getting a new public key into the debian-keyring package, how would > you get that to users? > > I mean if you resigned the release file after the attack happened with a new > master key that would mean nobody could apt-get the debian-keyring package > for the new public key. > > I am wondering if I am missing something. Is there a process for this > possibility? > > Thanks > -- > David Hubner > Software Engineer > > david.hub...@smoothwall.net > > Smoothwall Ltd > 1 John Charles Way, Leeds, LS12 6QA United Kingdom > Telephone: USA: 1 800 959 3760 Europe: +44 (0) 8701 999500 > www.smoothwall.net > > Smoothwall Limited is registered in England, Company Number: 4298247. This > email and any attachments transmitted with it are confidential to the > intended recipient(s) and may not be communicated to any other person or > published by any means without the permission of Smoothwall Limited. Any > opinions stated in this message are solely those of the author. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/929031413564...@web27h.yandex.ru
