Re: gpg key change

Top Page

Reply to this message
Author: Frank Hartmann
Date:  
To: dmo-discussion
Subject: Re: gpg key change
Christian Marillat <marillat@???> writes:

> On 13 janv. 2015 22:14, Andrew Engelbrecht <sudoman@???> wrote:
>
>> did you change your gpg key for the deb-multimedia archive?
>
> Yes. Should not be a problem if the deb-multimedia-keyring package is
> installed.
>
> For now only testing and unstable are signed with the new 4096 key, so
> my site still talk about the old 1024 key.


Hi,

I hope this is not too much off-topic: Just out of interest, how is such
a GPG key change supposed to work?

And I am worried, because I did just now:

$ sudo apt-get update


And got the message: ... NO_PUBKEY 5C808C2B65558117

Then I reread this thread and did:

$ sudo apt-get install deb-multimedia-keyring

This succeded. Then I started to wonder why this worked and downloaded:

$ wget http://www.deb-multimedia.org/dists/wheezy/Release
$ wget http://www.deb-multimedia.org/dists/wheezy/Release.gpg

$ gpg --keyid-format LONG -v  Release.gpg 
gpg: armor header: Version: GnuPG v1
Detached signature.
Please enter name of data file: Release
gpg: Signature made Di 27 Jan 2015 20:40:38 CET
gpg:                using RSA key 5C808C2B65558117
gpg: Can't check signature: public key not found


So why was apt installing the package which was signed by an unknown
key? I would have hoped that it would refuse to install after having
received an wrong-key-signed update.

And if above interpreatation is correct: What should I have done after:

$ sudo apt-get update

in order to get rid of the data which was improperly signed? It looks to
me that apt is currently just warning and continues happily after that.

kind regards
Frank