On Dec 6, 2006, at 3:43 AM, Florian Kulzer wrote:
There seems to be some confusion between two different issues:
1) There is a new archive signing key for Etch. The Release files are
currently signed with both the new and the old key. Apt is
satisfied
with the old signature, but it will alert you to the fact that
there
is an additional signature with a key that apt does not know. The
error message is something like "unknown key" or "unknown
signature"
(I don't remember the exact wording right now). As others have
already pointed out, installing the debian-archive-keyring will
take
care of this automatically, for now and for all new keys in the
future.
2) The "invalid signature" error of gpg is something completely
different. Apt knows the used keys but the Release files have
incorrect signatures. In the worst-case scenario this means that
someone has taken over the MIT site and tries to achieve world
domination by putting doctored packages on people's computers. (The
whole point of the archive signing is to protect you against this.
If I manage to slip a manipulated package into your installation
process then I can do more or less whatever I want on your machine
since the installation scripts from this package will run with root
privileges.)
More likely, however, there is just a synchronization problem with
the MIT mirror. You can get the "bad signature" error if you update
while the mirror in the middle of its synchronization procedure. If
you get this message all the time then you should send an email to
the maintainer of the MIT mirror to make him/her aware of the
problem.
Thanks Florian! This helps.
Rick
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
