Florian Kulzer wrote: > [...] Thanks Florian. Comprehensive, as usual!
I think you have now covered all possibilities: 1. Checking an unofficial repository's keyring against the official Debian keyring. 2. Checking an unofficial repository's keyring against the personal key of the repository's maintainer. 3. Checking an unofficial repository's keyring against the personal key of the repository's maintainer whose User ID is not found. Thanks for the tip about using "--recv-key(s)" with key IDs. :) >> There is no such sig as 4B2B2B9E on the debian-keyring >> > >> > $ gpg --no-default-keyring --keyring >> > /usr/share/keyrings/debian-keyring.gpg --check-sig 4B2B2B9E >> > gpg: error reading key: public key not found > > Yes, it is strange that his key is not on the Debian keyring. > It seems that this is an outstanding debian-keyring bug dating from 16 Feb 2005: #295527 "horribly outdated"[1]. A bug reply mentions a local updated, unofficial version by Roland Stigge: debian-keyring_2006.10.11_all.deb[2] dated 11-Oct-2006. I downloaded and extracted it using your previous method: $ mkdir tempdir $ dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/ $ mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg . $ rm -rf tempdir/ Then I checked for 4B2B2B9E and got a match! $ gpg --no-default-keyring --keyring ~/downloads/debs/debian-keyring.gpg --check-sig 4B2B2B9E gpg: checking the trustdb gpg: public key 3C093EEF is 29789 seconds newer than the signature gpg: public key 3C093EEF is 29789 seconds newer than the signature gpg: public key 3C093EEF is 29789 seconds newer than the signature gpg: public key of ultimately trusted key ECB41FF5 not found gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/4B2B2B9E 2004-06-20 uid Daniel Baumann <[EMAIL PROTECTED]> [...] sig!3 307D56ED 2004-09-18 Noèl Köthe <[EMAIL PROTECTED]> sig!3 9B7C328D 2005-03-30 Luk Claes <[EMAIL PROTECTED]> sig!3 4B2B2B9E 2004-06-20 Daniel Baumann <[EMAIL PROTECTED]> sig!3 4B2B2B9E 2004-06-20 Daniel Baumann [...] 1 bad signature 535 signatures not checked due to missing keys How well do you think I can trust this debian-keyring_2006.10.11_all.deb package? [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295527 [2] http://people.debian.org/~stigge/packages/ -- Chris. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
