On Sat, Jun 23, 2007 at 17:28:19 +0100, Chris Lale wrote: > Bob Proulx wrote:
[...] > > In backports-users Alexander Wirt wrote: > >> I have uploaded the bpo keyring to the archive which makes it > >> possible to add the bpo archive signing key via apt-get install > >> debian-backports-keyring to you apt keyring. I hope I haven't missed > >> anything but please test it. > > > > apt-cache show debian-backports-keyring > > > > Description: GnuPG archive key of the backports.org repository > > The backports repository digitally signs its Release files. This package > > contains the repository key used for that. > > > > Thanks Bob! You learn something new every day. :) > > I might add that this package comes from the debian-backports repository > itself, > so you need to add the repository to /etc/apt/sources.list, "aptitude update", > ignore the GPG error and "aptitude install debian-backports-keyring" to avoid > GPG errors in future. After installing the debian-backports-keyring package I would at least check the signatures of the new key, like this: -------------------- $ cd /usr/share/keyrings/ $ gpg --no-default-keyring --keyring ./debian-backports-keyring.gpg --keyring ./debian-keyring.gpg --check-sig "Backports.org Archive Key" pub 1024D/16BA136C 2005-08-21 uid Backports.org Archive Key sig! 7E7B8AC9 2005-11-20 Joerg Jaspert sig!3 16BA136C 2005-08-21 Backports.org Archive Key sig!3 16BA136C 2005-08-21 Backports.org Archive Key sub 2048g/5B82CECE 2005-08-21 sig! 16BA136C 2005-08-21 Backports.org Archive Key 1 signature not checked due to a missing key -------------------- (I have removed all email addresses from the output of the gpg command.) Then you know at least that the new key has been signed by Joerg Jaspert and you checked his signature using his public key from the debian-keyring package. (The second signature cannot be checked because that key is not part of the Debian keyring.) An even better approach would be to download the Backports.org Archive Key manually and to check the signature before adding the new key to apt's keyring. (Installing the debian-backports-keyring package directly means that an unverified post-installation script has root on your computer, therefore you cannot really trust anything after that, including the keys on the Debian keyring.) P.S. The same goes for the debian-multimedia-keyring package. -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]