On Tue, Jul 03, 2007 at 09:55:20 +0100, Chris Lale wrote: [...]
> It seems that this is an outstanding debian-keyring bug dating from 16 Feb > 2005: > #295527 "horribly outdated"[1]. > > A bug reply mentions a local updated, unofficial version by Roland Stigge: > debian-keyring_2006.10.11_all.deb[2] dated 11-Oct-2006. I downloaded and > extracted it using your previous method: > > $ mkdir tempdir > $ dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/ > $ mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg . > $ rm -rf tempdir/ > > Then I checked for 4B2B2B9E and got a match! > > $ gpg --no-default-keyring --keyring ~/downloads/debs/debian-keyring.gpg > --check-sig 4B2B2B9E > gpg: checking the trustdb > gpg: public key 3C093EEF is 29789 seconds newer than the signature I don't see this when I do the same. 8 hours difference; a timezone configuration problem, maybe? > gpg: public key of ultimately trusted key ECB41FF5 not found The "ultimately trusted" key should be your own. Did you experiment with gpg in the past and generate a key (pair) which you deleted again? > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > pub 1024D/4B2B2B9E 2004-06-20 > uid Daniel Baumann > [...] > sig!3 307D56ED 2004-09-18 Noèl Köthe > sig!3 9B7C328D 2005-03-30 Luk Claes > sig!3 4B2B2B9E 2004-06-20 Daniel Baumann > sig!3 4B2B2B9E 2004-06-20 Daniel Baumann > [...] > 1 bad signature > 535 signatures not checked due to missing keys > > How well do you think I can trust this debian-keyring_2006.10.11_all.deb > package? It certainly increases trust if a key(ring) checks out from many different sources. However, I think that the most important thing is being able to verify signatures with the keys from the debian-keyring package. > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295527 > [2] http://people.debian.org/~stigge/packages/ -- Regards, | http://users.icfo.es/Florian.Kulzer Florian |
