Florian Kulzer wrote: [...] > > Here is a procedure for paranoid people, starting after your step 2; all > these commands should be run as an unprivileged user. (The key is > extracted manually and added to the unprivileged user's keyring; then it > can be checked without risk.) > > aptitude download debian-backports-keyring > mkdir tempdir > dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/ > mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg . > rm -rf tempdir/ > gpg --import debian-backports-keyring.gpg > gpg --list-sig 16BA136C > gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 16BA136C > > If the key has a valid signature of a Debian developer then you can > export it and add it to apt's key ring. (See my earlier mail.) After > that you can install the desired backports packages, including the > backports keyring package for convenience in case of future key updates. > > BTW, the debian-multimedia archive is a special case since Christian > Marillat does not use a dedicated archive key; he signs the release > files with his normal public key. This key is already included in the > debian-keyring package, so you can simply (and safely) export the key > from this keyring and feed it to apt: > > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg -a > --export 1F41B907 | sudo apt-key add - >
This works fine for backports.org and debian-multimedia.org. Unfortunately, the keyring from debian-unofficial.org is not signed in the same way: $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-unofficial-archive-keyring.gpg --list-sigs /usr/share/keyrings/debian-unofficial-archive-keyring.gpg --------------------------------------------------------- pub 1024D/24C52AC3 2007-01-24 [expires: 2008-02-01] uid Debian Unofficial Archive Automatic Signing Key (2007) <[EMAIL PROTECTED]> sig 3 24C52AC3 2007-01-24 Debian Unofficial Archive Automatic Signing Key (2007) <[EMAIL PROTECTED]> sig 4B2B2B9E 2007-01-24 [User ID not found] There is no such sig as 4B2B2B9E on the debian-keyring $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 4B2B2B9E gpg: error reading key: public key not found or on a public keyserver $ gpg --keyserver hkp://subkeys.pgp.net --list-key 4B2B2B9E gpg: error reading key: public key not found I think that the best one can do in this case is to take Daniel Baumann's name from the debian-unofficial website[1] and check that he has an entry in the Debian developer database[2]. [1] http://www.debian-unofficial.org/ [2] http://db.debian.org -- Chris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
