Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to get new Debian gpg keys?

518 views
Skip to first unread message

Edward C. Jones

unread,
Jan 3, 2006, 11:20:09 PM1/3/06
to
I am getting the following message from synaptic:

W: GPG error: http://ftp.us.debian.org unstable Release: The following
signatures couldn't be verified because the public key is not available:
NO_PUBKEY 010908312D230C5F

From what I have read, this is going to happen every January. What do I
do? Where in the Debian documentation is the procedure I need to use
documented?


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Chinook

unread,
Jan 3, 2006, 11:40:14 PM1/3/06
to
Edward C. Jones wrote:
> I am getting the following message from synaptic:
>
> W: GPG error: http://ftp.us.debian.org unstable Release: The following
> signatures couldn't be verified because the public key is not available:
> NO_PUBKEY 010908312D230C5F
>
> From what I have read, this is going to happen every January. What do I
> do? Where in the Debian documentation is the procedure I need to use
> documented?
>
>

First, I can't help, but I can add to the scope.

I'm running Etch and all of a sudden while trying to solve a sound
issue, I get the same message. I also get the message, here and
elsewhere, to run gst-register. Well, doing so was not very
straightforward (seems to be /usr/bin/gst-register-0.8), but I did
manage to and it "apparently" installed a bunch of plug-ins to various
(mainly) gnome packages. Unfortunately, what it did not do was clear up
the "Not Authenticated" issue.

You helped me though, in indicating this was a recurring problem (hadn't
found that yet).

As confused as ever. This Linux is making my Mac look overly easy (I
know - not a appropriate comparison), but it's still a far better
solution for the PC on my LAN then Windoze was :-) To be honest, I was
probably just as lost when I first got under the hood of my Mac.

Lee C

Joey Hess

unread,
Jan 4, 2006, 12:30:12 AM1/4/06
to
Edward C. Jones wrote:
> I am getting the following message from synaptic:
>
> W: GPG error: http://ftp.us.debian.org unstable Release: The following
> signatures couldn't be verified because the public key is not available:
> NO_PUBKEY 010908312D230C5F
>
> From what I have read, this is going to happen every January. What do I
> do? Where in the Debian documentation is the procedure I need to use
> documented?

wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | sudo apt-key add -

Secure apt is too young for us to have a well-defined procedure for
dealing with this. Apparently they tried to do a two-step transition
that would have allowed apt to download a new version of itself that
knew about the new key before the old key expires, but the way it's been
done so far has not worked due to a bug in apt.

--
see shy jo

signature.asc

Tom

unread,
Jan 4, 2006, 4:00:20 AM1/4/06
to
Joey Hess:

> > From what I have read, this is going to happen every January. What do
> > I do? Where in the Debian documentation is the procedure I need to use
> > documented?
>
> wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | sudo apt-key add -

That works fine here, and the new key is listed in apt-key list output,
but still, I get the GPG error when updating.

I use ftp.de.debian.org as a mirror. I'd expect one key "to rule them
all", but I could be very wrong, as usual. Is one key supposed to be
valid for all archive mirrors? If so, is the cause of the error not with
me, but with the mirror?

Just for clarity, here's what I get:

GPG error: http://ftp.de.debian.org unstable Release: The following


signatures couldn't be verified because the public key is not available:

NO_PUBKEY F1D53D8C4F368D5D

Cheers,
Tom

--
"Es bückt sich der Mann, um durch das Tor in das Innere zu sehen."
--- (Franz Kafka, Vor dem Gesetz)
np: Venetian Snares - Szamár Madár

Joey Hess

unread,
Jan 4, 2006, 1:50:14 PM1/4/06
to
Tom wrote:
> That works fine here, and the new key is listed in apt-key list output,
> but still, I get the GPG error when updating.
>
> I use ftp.de.debian.org as a mirror. I'd expect one key "to rule them
> all", but I could be very wrong, as usual. Is one key supposed to be
> valid for all archive mirrors? If so, is the cause of the error not with
> me, but with the mirror?

The Debian archive is signed once. Mirrors all mirror the same bits.

> Just for clarity, here's what I get:
>
> GPG error: http://ftp.de.debian.org unstable Release: The following
> signatures couldn't be verified because the public key is not available:
> NO_PUBKEY F1D53D8C4F368D5D

Key 4F368D5D is:

pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
uid Debian Archive Automatic Signing Key (2005) <ftpm...@debian.org>

Apt's bug means that you currently must have both the 2005 and the 2006
key in your apt keyring for it to function.

I can't say why you don't have it in your apt keyring. It's shipped in
apt or at http://ftp-master.debian.org/ziyi_key_2005.asc

--
see shy jo

signature.asc

Tom

unread,
Jan 4, 2006, 3:00:23 PM1/4/06
to
[04/01/2006 -- 19:43u] Joey Hess:

> > That works fine here, and the new key is listed in apt-key list output,
> > but still, I get the GPG error when updating.

<...>

> > NO_PUBKEY F1D53D8C4F368D5D
>
> Key 4F368D5D is:
>
> pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
> uid Debian Archive Automatic Signing Key (2005) <ftpm...@debian.org>
>
> Apt's bug means that you currently must have both the 2005 and the 2006
> key in your apt keyring for it to function.
>
> I can't say why you don't have it in your apt keyring. It's shipped in
> apt or at http://ftp-master.debian.org/ziyi_key_2005.asc

Well, it must be because I was too quick to remove it. *blush* Thanks
for two very helpful tips in one day.

Cheers,
Tom

--
"Es bückt sich der Mann, um durch das Tor in das Innere zu sehen."
--- (Franz Kafka, Vor dem Gesetz)

np: Coil - Amber Rain

Edward C. Jones

unread,
Jan 4, 2006, 4:00:21 PM1/4/06
to
I was getting the following message:

W: GPG error: http://ftp.us.debian.org unstable Release: The following

signatures couldn't be verified because the public key is not available:

NO_PUBKEY 010908312D230C5F

Here is worked for me:

1. Use "su" to become root.

2. Run "apt-key list".

3. If key 4F368D5D is not present, run (as a single line) "wget
http://ftp-master.debian.org/ziyi_key_2005.asc -O - | sudo apt-key add -"

4. Run (as a single line) "wget

http://ftp-master.debian.org/ziyi_key_2006.asc -O - | sudo apt-key add -"

5. Check by running "apt-key list" again.

6. Should I run "apt-key del 4F368D5D"?

If any of this is wrong, please correct it. Also add any search keywords
(such as "gnupg") that might be useful.

Thanks you-all,
Ed Jones

Tom

unread,
Jan 4, 2006, 4:40:12 PM1/4/06
to
[04/01/2006 -- 21:34u] Edward C. Jones:

> 6. Should I run "apt-key del 4F368D5D"?

I'd say no. That was what caused the problem to not go away. :)

Cheers,
Tom

--
"Es bückt sich der Mann, um durch das Tor in das Innere zu sehen."
--- (Franz Kafka, Vor dem Gesetz)

np: Subliminal - Gracebudd

Nate Bargmann

unread,
Jan 4, 2006, 5:50:13 PM1/4/06
to
* Joey Hess <jo...@debian.org> [2006 Jan 03 23:29 -0600]:

> Edward C. Jones wrote:
> > I am getting the following message from synaptic:
> >
> > W: GPG error: http://ftp.us.debian.org unstable Release: The following
> > signatures couldn't be verified because the public key is not available:
> > NO_PUBKEY 010908312D230C5F
> >
> > From what I have read, this is going to happen every January. What do I
> > do? Where in the Debian documentation is the procedure I need to use
> > documented?
>
> wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | sudo apt-key add -

Okay, I ran that and here is my output:

# wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
--16:34:23-- http://ftp-master.debian.org/ziyi_key_2006.asc
=> `-'
Resolving ftp-master.debian.org... 140.211.166.43
Connecting to ftp-master.debian.org|140.211.166.43|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,017 (2.0K) [text/plain]

100%[==================================================================>] 2,017 --.--K/s

16:34:24 (66.33 MB/s) - `-' saved [2017/2017]

gpg: no ultimately trusted keys found
OK


Aptitude doesn't complain any more so I guess the last line output by
gpg can safely be ignored. Shrug.

- Nate >>

--
Wireless | Amateur Radio Station N0NB | Successfully Microsoft
Amateur radio exams; ham radio; Linux info @ | free since January 1998.
http://www.qsl.net/n0nb/ | "Debian, the choice of
My Kawasaki KZ-650 SR @ | a GNU generation!"
http://www.networksplus.net/n0nb/ | http://www.debian.org

Björn Lindström

unread,
Jan 4, 2006, 6:00:20 PM1/4/06
to
"Edward C. Jones" <edcj...@comcast.net> writes:

> 1. Use "su" to become root.
>
> 2. Run "apt-key list".

If you can use sudo later on, why not for this step too?

> 3. If key 4F368D5D is not present, run (as a single line) "wget
> http://ftp-master.debian.org/ziyi_key_2005.asc -O - | sudo apt-key add -"

Karsten M. Self

unread,
Jan 4, 2006, 10:30:14 PM1/4/06
to
on Wed, Jan 04, 2006 at 12:25:15AM -0500, Joey Hess (jo...@debian.org) wrote:
> Edward C. Jones wrote:
> > I am getting the following message from synaptic:
> >
> > W: GPG error: http://ftp.us.debian.org unstable Release: The following
> > signatures couldn't be verified because the public key is not available:
> > NO_PUBKEY 010908312D230C5F
> >
> > From what I have read, this is going to happen every January. What do I
> > do? Where in the Debian documentation is the procedure I need to use
> > documented?
>
> wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | sudo apt-key add -

In my case the following (pasting together a couple of shell
histories...) seemed to do the trick:

apt-get install debian-keyring
gpg --import /usr/share/keyrings/debian-keyring.gpg
gpg --armor --export 010908312D230C5F 07DC563D1F41B907 07DC563D1F41B907 |
apt-key add -

... modulo values of keys (those were the ones aptitude was bitching
about).

Any harm in exporting root's GPG keys into apt-key? I currently only
have four (Debian's autosign keys + a third-party archive) present.



> Secure apt is too young for us to have a well-defined procedure for
> dealing with this. Apparently they tried to do a two-step transition
> that would have allowed apt to download a new version of itself that
> knew about the new key before the old key expires, but the way it's been
> done so far has not worked due to a bug in apt.

Glad to see it's finally happening, nonetheless, and appreciate your
hints as always.


Peace.

--
Karsten M. Self <kms...@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
America Trans Air (ATA) customer service sucks:
http://kmself.home.netcom.com/Rants/ata-sucks.html

signature.asc

Iñaki Silanes

unread,
Jan 5, 2006, 9:40:13 AM1/5/06
to
Nate Bargmann wrote:

I had the same happen. I copied the command line literally, sudo and all,
but I was root. I repeated the command w/o "sudo" and it all went fine.
Now, I don't know if removing the "sudo" fixed it, or repeating the command
did. Seeing that you haven't used sudo, it's probably a matter of the key
not being trusted in the first download. If you execute the command again,
since the key is already tagged "trusted", it downloads and "adds" it w/o
warning.

Iñaki

--
I h8 foreignas cuz they're grammer sux.

Iñaki Silanes
Chemistry Faculty UPV-EHU Donostia
http://www.sc.ehu.es/powgep99/dcytp/teoricos/staff/inaki/inaki.htm

On Intelligent Design: http://www.venganza.org/
About MS Windows: http://www.vanwensveen.nl/rants/microsoft/IhateMS.html
Europe against DMCA-like laws: http://makeashorterlink.com/?Y28633E4C

0 new messages