Web lists-archives.com

why do we need old keys in our debian-archive-keyring ?




Dear all,

Please CC me while answering as I'm not subscribed to the list, sorry.

I was looking at the output of $ apt-key list

and saw the following -

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
      12D4 CD60 0C22 40A9 F4A8  2071 D7B0 B669 41D0 1538
uid           [ unknown] riot.im packages <packages@xxxxxxx>
sub   rsa3072 2019-04-15 [S] [expires: 2021-04-14]

pub   rsa4096 2019-04-15 [SC] [expires: 2024-04-13]
      AAF9 AE84 3A75 84B5 A3E4  CD2B CF45 A512 DE2D A058
uid           [ unknown] matrix.org packages <packages@xxxxxxxxxx>
sub   rsa3072 2019-04-15 [S] [expires: 2021-04-14]

pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@xxxxxxxxxx>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key
(8/jessie) <ftpmaster@xxxxxxxxxx>

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key
(10/buster) <ftpmaster@xxxxxxxxxx>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key
(10/buster) <ftpmaster@xxxxxxxxxx>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster)
<debian-release@xxxxxxxxxxxxxxxx>

It actually had slightly different values for the jessie and strech
keys (dates) which I deleted and then found I could not use apt update
as it gave errors such as  -

The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY
04EE7237B7D453EC

The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY
AA8E81B4331F7F50

Then I searched and saw a forum post sharing that the
debian-archive-keyring is maybe not up-to-date.

I downloaded the latest from sid/unstable and using dpkg -I did the
installation although the latest would have migrated to buster
tomorrow itself according to tracker.debian.org/debian-archive-keyring
.

$ wget http://ftp.de.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1_all.deb

$ sudo dpkg -i debain-archive-keyring<TAB> for auto-completion

So now it showed -

$ apt-cache policy debian-archive-keyring
debian-archive-keyring:
  Installed: 2019.1
  Candidate: 2019.1
  Version table:
 *** 2019.1 500
        500 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status
     2018.1 990
        990 http://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages

did that and tried again but still got the same errors as above.

Then I did -

root@debian:~# gpg --recv-keys 04EE7237B7D453EC
gpg: key E0B11894F66AEC98: 12 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic
Signing Key (9/stretch) <ftpmaster@xxxxxxxxxx>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

root@debian:~# gpg --export 04EE7237B7D453EC | apt-key add -
OK

I still got errors but less errors hence did the same procedure as above -

$ su -
Password:
root@debian:~# gpg --recv-keys 9D6D8F6BC857C906
gpg: key 9D6D8F6BC857C906: 13 signatures not checked due to missing keys
gpg: key 9D6D8F6BC857C906: public key "Debian Security Archive
Automatic Signing Key (8/jessie) <ftpmaster@xxxxxxxxxx>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
root@debian:~# gpg --export 9D6D8F6BC857C906 | apt-key add -
OK

now when I looked at apt-key list I see these two -

pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key
(9/stretch) <ftpmaster@xxxxxxxxxx>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key
(8/jessie) <ftpmaster@xxxxxxxxxx>

I found it odd that the jessie and the stretch keys are and were being
used and couldn't understand why.

I also looked at the list of files in the package -

$ dpkg -L debian-archive-keyring
/.
/etc
/etc/apt
/etc/apt/trusted.gpg.d
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
/usr
/usr/share
/usr/share/doc
/usr/share/doc/debian-archive-keyring
/usr/share/doc/debian-archive-keyring/README
/usr/share/doc/debian-archive-keyring/changelog.gz
/usr/share/doc/debian-archive-keyring/copyright
/usr/share/keyrings
/usr/share/keyrings/debian-archive-buster-automatic.gpg
/usr/share/keyrings/debian-archive-buster-security-automatic.gpg
/usr/share/keyrings/debian-archive-buster-stable.gpg
/usr/share/keyrings/debian-archive-jessie-automatic.gpg
/usr/share/keyrings/debian-archive-jessie-security-automatic.gpg
/usr/share/keyrings/debian-archive-jessie-stable.gpg
/usr/share/keyrings/debian-archive-keyring.gpg
/usr/share/keyrings/debian-archive-removed-keys.gpg
/usr/share/keyrings/debian-archive-stretch-automatic.gpg
/usr/share/keyrings/debian-archive-stretch-security-automatic.gpg
/usr/share/keyrings/debian-archive-stretch-stable.gpg

Find it strange that stretch and jessie keys are being used. Perhaps
for migration purposes from jessie or stretch to buster ?

I also saw the documentation

~$ cat /usr/share/doc/debian-archive-keyring/README

but it didn't tell me much that I didn't already know.

If I'm reading right, some 2.5 years from now, jessie will be dropped
but only stretch will remain if I'm on buster otherwise, if I'm on
bullseye, the new release then (i.e. bullseye) would have keys of
bullseye, buster and stretch.

Is that the way things work or am I missing, misunderstanding something ?

-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com

E493 D466 6D67 59F5 1FD0 930F 870E 9A5B 5869 609C