The missing key creates problems for example with simple-cdd: https://bugs.debian.org/992966
Okay, I'll be happy to do the update. Though I wonder if it'd rather
be helpful in just doing a rebuild of buster to stretch instead of backporting the changes each time?
On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta <utkarsh@debian.org> wrote:
The missing key creates problems for example with simple-cdd: https://bugs.debian.org/992966
Okay, I'll be happy to do the update. Though I wonder if it'd rather
be helpful in just doing a rebuild of buster to stretch instead of backporting the changes each time?
Slight ping on this. I'm inclined towards rebuilding the same package
for stretch. Does anybody have an opinion or opposition on this? :)
I intend to do this in the next couple of days, so let me know what
you think.
it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a while ago:
<div>8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<</div><div>gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \<br> --keyring keyrings/team-members.gpg \<br> --verify active-keys/index.gpg active-keys/index<br>gpg: Signature made Wed Feb 24 20:38:18 2021 UTC<br>gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9<br>gpg: ./trustdb.gpg: trustdb created<br>gpg: BAD signature
With these 3 commits, I tried to build the package and it failed--trustdb-name ./trustdb.gpg \
with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb
--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!
Hi Jonathan,
On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog <hertzog@debian.org> wrote:
it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a while ago:
https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/
Whilst prepping an update for stretch, I cherry-picked the following
commits from the salsa repository w cross-checking the update
as proposed via #985371:
464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic
signing keys for bullseye.
379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian
Stable Release Key (11/bullseye).
74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh
signatures over keyrings/debian-archive-keyring.gpg (and not keyrings/debian-archive-removed-keys.gpg since I'm not
removing any keys in this update).
With these 3 commits, I tried to build the package and it failed
with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb
--trustdb-name ./trustdb.gpg \
--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!
You will need (but may not want) the commit removing jessie's keys aswell.
Basically all intermediate commits which touch keyrings - a removal is
really a move from the main keyring to the archive keyring, so it will
change the makeup of the keyring and fail the validation.
If you actually need the jessie keys kept, as I suspect you do, I can
prepare a stretch branch with new signatures on it in a few days.
I intend to simplify the whole thing significantly in bookworm; this whole jetring and gpg validation thing makes for a lot of maintenance pain.
Hi Jonathan,
On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta <utkarsh@debian.org> wrote:
On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire <jmw@debian.org> wrote:
You will need (but may not want) the commit removing jessie's keys as well.
Basically all intermediate commits which touch keyrings - a removal is really a move from the main keyring to the archive keyring, so it will change the makeup of the keyring and fail the validation.
If you actually need the jessie keys kept, as I suspect you do, I can prepare a stretch branch with new signatures on it in a few days.
That'd be really helpful, yes. Though I am still unsure what am I missing. When you prep a branch for stretch, please let me know and as I said, that'd be really helpful. Thank you so much!
Friendly ping on this. Any status update on this, please? :)
Do you think you can take a look at this sooner? Let me/us know.
I intend to simplify the whole thing significantly in bookworm; this whole
jetring and gpg validation thing makes for a lot of maintenance pain.
Perfect, that'll indeed help a lot. :)
- u
On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire <jmw@debian.org> wrote:
You will need (but may not want) the commit removing jessie's keys as well. Basically all intermediate commits which touch keyrings - a removal is really a move from the main keyring to the archive keyring, so it will change the makeup of the keyring and fail the validation.
If you actually need the jessie keys kept, as I suspect you do, I can prepare a stretch branch with new signatures on it in a few days.
That'd be really helpful, yes. Though I am still unsure what am I missing. When you prep a branch for stretch, please let me know and as I said,
that'd be really helpful. Thank you so much!
I intend to simplify the whole thing significantly in bookworm; this whole jetring and gpg validation thing makes for a lot of maintenance pain.
Perfect, that'll indeed help a lot. :)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 53:16:37 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,489 |