• Impossible to verify GPG signature on Debian Release file

    From john doe@21:1/5 to All on Tue Nov 23 16:50:02 2021
    Hi,

    I'm trying to verify the Debian's Release file but to no avail:

    $gpg --keyserver keyring.debian.org --keyserve
    r-options auto-key-retrieve --verify Release.gpg Release
    gpg: Signature made 10/9/2021 11:35:49 AM Romance Daylight Time
    gpg: using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
    gpg: requesting key 0x648ACFD622F3D138 from hkp://keyring.debian.org
    gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0
    gpg: Can't check signature: No public key
    gpg: Signature made 10/9/2021 11:35:49 AM Romance Daylight Time
    gpg: using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
    gpg: requesting key 0x0E98404D386FA1D9 from hkp://keyring.debian.org
    gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0
    gpg: Can't check signature: No public key
    gpg: Signature made 10/9/2021 11:49:02 AM Romance Daylight Time
    gpg: using RSA key A4285295FC7B1A81600062A9605C66F00D6C9793
    gpg: issuer "debian-release@lists.debian.org"
    gpg: requesting key 0x605C66F00D6C9793 from hkp://keyring.debian.org
    gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0
    gpg: Can't check signature: No public key
    $ gpg --locate-keys debian-release@lists.debian
    .org
    gpg: error retrieving 'debian-release@lists.debian.org' via WKD:
    Certificate exp
    ired
    gpg: error reading key: Certificate expired


    The Release file and signature file are downloaded from (1) and (2).

    It looks like some keys are missing from the Debian keyring.


    1) http://ftp.debian.org/debian/dists/stable/Release
    2) http://ftp.debian.org/debian/dists/stable/Release.gpg

    --
    John Doe

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to john doe on Wed Nov 24 19:10:01 2021
    On Tue, Nov 23, 2021 at 04:24:21PM +0100, john doe wrote:
    $gpg --keyserver keyring.debian.org --keyserve
    r-options auto-key-retrieve --verify Release.gpg Release

    The keyserver you're using holds developer's keys, not others like the role keys. From a Debian system and for the bullseye release file:

    $ gpg --no-default-keyring --no-auto-check-trustdb --keyring /usr/share/keyrings/debian-archive-bullseye-stable.gpg --verify Release.gpg Release
    [.. gpg noise ..]
    gpg: Signature made Sat 09 Oct 2021 10:49:02 BST
    gpg: using RSA key A4285295FC7B1A81600062A9605C66F00D6C9793
    gpg: issuer "debian-release@lists.debian.org"
    gpg: Good signature from "Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793

    Substitute other keyrings for different suites.

    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)