FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-29-2012, 01:12 AM
Paul E Condon
 
Default repository signing keys update HOW?

I have forgotten how to install the latest official signing keys for
the package repositories, and I can't even remember search terms that
take me to the information. I am getting reports from aptitude that
signitures are unverified on release and index files. I think it should
happen automatically, but apparently it did not.

Please remind me where I can get this.

--
Paul E Condon
pecondon@mesanetworks.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120329011232.GA8146@big.lan.gnu">http://lists.debian.org/20120329011232.GA8146@big.lan.gnu
 
Old 03-29-2012, 01:37 AM
Scott Ferguson
 
Default repository signing keys update HOW?

On 29/03/12 12:12, Paul E Condon wrote:
> I have forgotten how to install the latest official signing keys for
> the package repositories, and I can't even remember search terms that
> take me to the information. I am getting reports from aptitude that
> signitures are unverified on release and index files. I think it should
> happen automatically, but apparently it did not.
>
> Please remind me where I can get this.
>
The clue is "keys" :-)


"apt-cache search keyring" and choose according to your needs
(debian-keyring at a minimum)


More specific information could be provided if you'd given *any*
information on what you have/want installed ;-p


Kind regards

--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to Debian questions:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F73BCF3.9020709@gmail.com">http://lists.debian.org/4F73BCF3.9020709@gmail.com
 
Old 03-29-2012, 02:08 AM
Paul E Condon
 
Default repository signing keys update HOW?

On 20120329_123755, Scott Ferguson wrote:
> On 29/03/12 12:12, Paul E Condon wrote:
> > I have forgotten how to install the latest official signing keys for
> > the package repositories, and I can't even remember search terms that
> > take me to the information. I am getting reports from aptitude that
> > signitures are unverified on release and index files. I think it should
> > happen automatically, but apparently it did not.
> >
> > Please remind me where I can get this.
> >
> The clue is "keys" :-)
>
>
> "apt-cache search keyring" and choose according to your needs
> (debian-keyring at a minimum)

I am getting error messages when attempting to update release and
index files for the repository itself. These are provided, I think, in
the package debian-keyring (so keys search did not work and I had used
other means to find this ;-) But on the affected computer debian-keyring
is shown by aptitude to be not installed. So proper updating must have
stopped when the keys used in the initial install expired. Now I need
to used some direct means, such as wget, or something which I can't
remember, against a special keyring server, whose URL I also can't
remember. I need help remembering. Once I find the page I need, I'm
sure I will have no trouble understanding, and doing what needs to
be done.

And thanks for mentioning (debian-keyring at a minimum) The
descriptive phrase confirmed my guess that this was the one I needed
the contents of. I need an alternative method of getting the contents
since aptitude is in need of new keys to start working again.

Please keep up the good help!
--
Paul E Condon
pecondon@mesanetworks.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120329020842.GB8146@big.lan.gnu">http://lists.debian.org/20120329020842.GB8146@big.lan.gnu
 
Old 03-29-2012, 06:32 AM
Andrei POPESCU
 
Default repository signing keys update HOW?

On Jo, 29 mar 12, 12:37:55, Scott Ferguson wrote:
>
> "apt-cache search keyring" and choose according to your needs
> (debian-keyring at a minimum)

Did you mean debian-archive-keyring? debian-keyring contains the keys of
*all* Debian Developers and is usually not needed.

> More specific information could be provided if you'd given *any*
> information on what you have/want installed ;-p

Yes, please, and a copy-paste of the error messages.

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 03-29-2012, 07:04 AM
Scott Ferguson
 
Default repository signing keys update HOW?

On 29/03/12 13:08, Paul E Condon wrote:
> On 20120329_123755, Scott Ferguson wrote:
>> On 29/03/12 12:12, Paul E Condon wrote:
>>> I have forgotten how to install the latest official signing keys for
>>> the package repositories,


<snipped>
>
> I am getting error messages when attempting to update release and
> index files for the repository itself.

I've had various key-signing errors in the past.
Usually part of the error message has been the means of resolving the
error - I've used it to search for the up-to-date keys from various
key-servers

> These are provided, I think, in
> the package debian-keyring (so keys search did not work and I had used
> other means to find this ;-) But on the affected computer debian-keyring
> is shown by aptitude to be not installed.

I haven't used aptitude for over a decade, but I'd be surprised if it
didn't allow you to ignore authentication if you wish (as apt can).



> So proper updating must have
> stopped when the keys used in the initial install expired. Now I need
> to used some direct means, such as wget,

http://packages.debian.org/search?keywords=debian-keyring&searchon=names&suite=all&section=all

> or something which I can't
> remember, against a special keyring server, whose URL I also can't
> remember.

hkp://keys.gnupg.net
hkp://pgp.dtype.org
hkp://search.keyserver.net
hkp://subkeys.pgp.net
hkp://wwwkeys.pgp.net
hkp://wwwkeys.us.pgp.net


http://keyring.debian.org/

> I need help remembering. Once I find the page I need, I'm
> sure I will have no trouble understanding, and doing what needs to
> be done.
>
> And thanks for mentioning (debian-keyring at a minimum) The
> descriptive phrase confirmed my guess that this was the one I needed
> the contents of. I need an alternative method of getting the contents
> since aptitude is in need of new keys to start working again.

Not really - pretty sure it'll work without authorization - but the
links should help you.

<snipped>


Kind regards


--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to Debian questions:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F740965.5020605@gmail.com">http://lists.debian.org/4F740965.5020605@gmail.com
 
Old 03-29-2012, 07:08 AM
Scott Ferguson
 
Default repository signing keys update HOW?

On 29/03/12 17:32, Andrei POPESCU wrote:
> On Jo, 29 mar 12, 12:37:55, Scott Ferguson wrote:
>>
>> "apt-cache search keyring" and choose according to your needs
>> (debian-keyring at a minimum)
>
> Did you mean debian-archive-keyring?

Yes!
Thanks for the correction.

> debian-keyring contains the keys of
> *all* Debian Developers and is usually not needed.

<snipped>


Kind regards

--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to Debian questions:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F740A6B.3090403@gmail.com">http://lists.debian.org/4F740A6B.3090403@gmail.com
 
Old 03-29-2012, 07:34 AM
Per Carlson
 
Default repository signing keys update HOW?

Hi Paul

> And thanks for mentioning (debian-keyring at a minimum) The
> descriptive phrase confirmed my guess that this was the one I needed
> the contents of. I need an alternative method of getting the contents
> since aptitude is in need of new keys to start working again.

The latest debian-archive-keyring can be found here:
http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb

Pick it up with wget, check that the MD5/SHA1/SHA256 sum is
correct[0], and finally install it with dpkg --install. After that
aptitude should be happy again

[0]: From the stable Packages.gz file
(http://ftp.us.debian.org/debian/dists/stable/main/binary-amd64/Packages.gz):

Package: debian-archive-keyring
Priority: important
Section: misc
Installed-Size: 64
Maintainer: Debian Release Team <packages@release.debian.org>
Architecture: all
Version: 2010.08.28
Depends: gnupg
Filename: pool/main/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb
Size: 19880
MD5sum: 44009076e0e7ac560103000889b35bf5
SHA1: 8ee7d7a5f6ee6361d5f8dc2964659c83b785eb04
SHA256: ddb89cf73369b34183dd74677d2f0031e75a1f0c52a9f908b5 449685b7b98001
Description: GnuPG archive keys of the Debian archive
The Debian project digitally signs its Release files. This package
contains the archive keys used for that.
Tag: role::data, security::authentication, suite::debian

--
Pelle

"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOURYnBvSAZDPmr0chyeBppxm1rgfRjCgfkk+56fjvqYUw4C5 w@mail.gmail.com">http://lists.debian.org/CAOURYnBvSAZDPmr0chyeBppxm1rgfRjCgfkk+56fjvqYUw4C5 w@mail.gmail.com
 
Old 03-29-2012, 12:00 PM
Martin Steigerwald
 
Default repository signing keys update HOW?

Am Donnerstag, 29. Mrz 2012 schrieb Paul E Condon:
> On 20120329_123755, Scott Ferguson wrote:
> > On 29/03/12 12:12, Paul E Condon wrote:
> > > I have forgotten how to install the latest official signing keys
> > > for the package repositories, and I can't even remember search
> > > terms that take me to the information. I am getting reports from
> > > aptitude that signitures are unverified on release and index
> > > files. I think it should happen automatically, but apparently it
> > > did not.
> > >
> > > Please remind me where I can get this.
> >
> > The clue is "keys" :-)
> >
> >
> > "apt-cache search keyring" and choose according to your needs
> > (debian-keyring at a minimum)
>
> I am getting error messages when attempting to update release and
> index files for the repository itself. These are provided, I think, in
> the package debian-keyring (so keys search did not work and I had used
> other means to find this ;-) But on the affected computer
> debian-keyring is shown by aptitude to be not installed. So proper
> updating must have stopped when the keys used in the initial install
> expired. Now I need to used some direct means, such as wget, or
> something which I can't remember, against a special keyring server,
> whose URL I also can't remember. I need help remembering. Once I find
> the page I need, I'm sure I will have no trouble understanding, and
> doing what needs to be done.

If you trust the server you should be able to install the keyring package
despite the warning. Apt should give you are way to install it
nonetheless.

Otherwise use gpg --recv-keys, gpg --export and apt-key add with the key
id that apt tells you missing.

I bet thats all easily findable on the web.

--
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201203291400.40517.Martin@lichtvoll.de">http://lists.debian.org/201203291400.40517.Martin@lichtvoll.de
 
Old 03-29-2012, 12:09 PM
Martin Steigerwald
 
Default repository signing keys update HOW?

Am Donnerstag, 29. März 2012 schrieb Per Carlson:
> Hi Paul
>
> > And thanks for mentioning (debian-keyring at a minimum) The
> > descriptive phrase confirmed my guess that this was the one I needed
> > the contents of. I need an alternative method of getting the contents
> > since aptitude is in need of new keys to start working again.
>
> The latest debian-archive-keyring can be found here:
> http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debi
> an-archive-keyring_2010.08.28_all.deb
>
> Pick it up with wget, check that the MD5/SHA1/SHA256 sum is
> correct[0], and finally install it with dpkg --install. After that
> aptitude should be happy again
>
> [0]: From the stable Packages.gz file
> (http://ftp.us.debian.org/debian/dists/stable/main/binary-amd64/Package
> s.gz):

Hmmm, thats seems better to me than just trust the server, but otherwise,
if the server was compromised the Packages.gz file could have been replaced
as well.

One could download the package from two or three servers and then compare
them. But that could fail is the master replica was compromised.

But then also a key server used with gpg --recv-keys could have been
compromised.

Well one could also check fingerprints against:

http://ftp-master.debian.org/keys.html

While also checking the announcement mails linked from there.

I think it would be highly, highly unlikely if all that was compromised.

Well here is my variant which you could also compare too - although there
is no guarentee that my variant is the uncomprimised one, it would raise
confidence in authenticity if all those sources I mentioned match each
other .

merkaba:~> LANG=C apt-key finger
/etc/apt/trusted.gpg
--------------------
pub 1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
Key fingerprint = 7F5A 4445 4C72 4A65 CBCD 4FB1 4D27 0D06 F425 84E6
uid Lenny Stable Release Key <debian-
release@lists.debian.org>

pub 4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
Key fingerprint = 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B
uid Debian Archive Automatic Signing Key (5.0/lenny)
<ftpmaster@debian.org>

pub 2048R/6D849617 2009-01-24 [expires: 2013-01-23]
Key fingerprint = F6CF DE30 6133 3CE2 A43F DAF0 DFD9 9330 6D84 9617
uid Debian-Volatile Archive Automatic Signing Key
(5.0/lenny)

pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-
release@lists.debian.org>

pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze)
<ftpmaster@debian.org>

pub 4096R/E79C8BAB 2010-03-05
Key fingerprint = D260 1480 31EB 4FD5 643E B695 93DD 2AE2 E79C 8BAB
uid Debian pkg-kde repository signing key (http://pkg-
kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org>

pub 1024D/1F41B907 1999-10-03
Key fingerprint = 1D7F C53F 80F8 52C1 88F4 ED0B 07DC 563D 1F41 B907
uid Christian Marillat <marillat@debian.org>
uid Christian Marillat <marillat@free.fr>
sub 1536g/C28DCC42 1999-10-03
sub 1024D/5D3877A7 2002-08-26
[…]

Ciao,
--
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201203291409.42069.Martin@lichtvoll.de">http://lists.debian.org/201203291409.42069.Martin@lichtvoll.de
 

Thread Tools




All times are GMT. The time now is 03:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org