Web lists-archives.com

Re: "missing pubkey" for buster-security

Harald Dunkel writes:
> I am running a local mirror of the security.debian.org
> repository for in-house use. It seems to be available for
> Buster as well, except that there is an error message
> ERROR: Condition '7638D0442B90D010' not fulfilled for
> '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease'.
> Signatures in '/var/www/official/lists/buster-security_buster%2Fupdates_InRelease':
> '9D6D8F6BC857C906' (signed 2019-05-03): missing pubkey
> 'AA8E81B4331F7F50' (signed 2019-05-03): missing pubkey
> Error: Not enough signatures found for remote repository
> buster-security (http://security.debian.org buster/updates)!
> There have been errors!

These keys are already in the debian-archive-keyring package (in

| $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --list-keys 7638D0442B90D010 9D6D8F6BC857C906 AA8E81B4331F7F50
| pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
|       126C0D24BD8A2942CC7DF8AC7638D0442B90D010
| uid           [  full  ] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@xxxxxxxxxx>
| pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
|       D21169141CECD440F2EB8DDA9D6D8F6BC857C906
| uid           [  full  ] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@xxxxxxxxxx>
| pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
|       6ED6F5CB5FA6FB2F460AE88EEDA0D2388AE22BA9
| uid           [  full  ] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@xxxxxxxxxx>
| sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
|       379483D8B60160B155B372DDAA8E81B4331F7F50

Your condition requires the security archive to be signed with the
main archive key; that is wrong.

The 9/stretch keys are fairly new and were announced in [1].

  [1] https://lists.debian.org/debian-devel-announce/2019/04/msg00008.html

> These keys are unknown on keyserver as well:
> # apt-key adv --keyserver keyring.debian.org --recv-keys 9D6D8F6BC857C906

keyring.d.o only has developer keys, not any of the other keys Debian
might be using.  I recommend getting them either from the
debian-archive-keyring package or the locations referred to in the
announcement; they should also be available on other keyservers.

I would also recommend using the full fingerprint instead of shorter keyids.