GnuPG and the debian-archive-keyring

stebe at mailbox.org stebe at mailbox.org
Sun Jan 31 16:07:56 CET 2016


Hi,

recently, I refreshed some keys of my GnuPG public keyring, did a check
and learned that 

1) the RSA key 46925553 Debian Archive Automatic Signing Key (7.0/wheezy)
<ftpmaster at debian.org> has been revoked [output translated into English in
square brackets]. 

gpg2 --edit-key 0x46925553

pub  4096R/46925553  erzeugt[created]: 2012-04-27  verfällt[expires]:
2020-04-25  Aufruf[call/invocation]: SC  
                     Vertrauen[trust]: unbekannt[unknown]
    Gültigkeit[validity]:unbekannt[unknown]
Der folgende Schlüssel wurde am 2014-03-17 von RSA Schlüssel 46925553
Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>
widerrufen [The following key has been revoked by RSA key 46925553 Debian
Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org> on
2014-03-17]
sub  4096R/ADD6B7E2  erzeugt: 2012-04-27  widerrufen: 2014-03-17  Aufruf:
E   
[  unbek.] (1). Debian Archive Automatic Signing Key (7.0/wheezy)
<ftpmaster at debian.org>

gpg> fpr
pub   4096R/46925553 2012-04-27 Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster at debian.org>
 Haupt-Fingerabdruck [Key Fingerprint] = A1BD 8E9D 78F7 FE5C 3E65  D8AF
8B48 AD62 4692 5553

2) Moreover, I learned that the RSA key 2B90D010 Debian Archive Automatic
Signing Key (8/jessie) <ftpmaster at debian.org> may (may?) have been revoked
by, well, I am not sure by which key, as gpg's output is as follows:

gpg2 --edit-key 0x2B90D010

Dieser Schlüssel könnte durch RSA mit Schlüssel CA1CF964 [?]  widerrufen
worden sein
[This key may have been revoked by RSA key CA1CF964 [?]]
Dieser Schlüssel könnte durch RSA mit Schlüssel B12525C4 [?]  widerrufen
worden sein
Dieser Schlüssel könnte durch RSA mit Schlüssel 15B0FD82 [?]  widerrufen
worden sein
pub  4096R/2B90D010  erzeugt: 2014-11-21  verfällt: 2022-11-19  Aufruf: SC
 
                     Vertrauen: unbekannt     Gültigkeit: unbekannt
[  unbek.] (1). Debian Archive Automatic Signing Key (8/jessie)
<ftpmaster at debian.org>

gpg> fpr
pub   4096R/2B90D010 2014-11-21 Debian Archive Automatic Signing Key
(8/jessie) <ftpmaster at debian.org>
 Haupt-Fingerabdruck [Key Fingerprint] = 126C 0D24 BD8A 2942 CC7D  F8AC
7638 D044 2B90 D010

As to 1) the expiration date seems to be quite a while ago, but what
struck me is the fact that there seems to be no way of getting the new
key. I guess, there has to be a new one, as wheezy still is among the
living. 

3) So I checked apt-key (list) and the keyrings listed in there, namely
/usr/share/keyrings/debian-archive-removed-keys.gpg Nothing. Hmm, I
thought it was supposed to be listed there automatically as a consequence
of some archive keyring update performed in the past.

4) I read the apt-key manpage. Unfortunately, the "net-update" option that
might have resolved the issue is not available in Debian but only in
Ubuntu. I did an "update" but none of the keys has changed.
gpg: Schlüssel 46925553: "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster at debian.org>" nicht geändert [unchanged]
gpg: Schlüssel 2B90D010: "Debian Archive Automatic Signing Key (8/jessie)
<ftpmaster at debian.org>" nicht geändert
...some more keys...

5) I checked if apt indicated the availbility of a new
debian-archive-keyring version, but no, 2014.3~deb7u1 not marked as
updatable.
I have to remove the revoked key from apt-key, fine, but what else can I
do for getting the new one? And will the removal affect my oldstable
system in terms of security/secure updates? Have I disregarded something
important?

As to 2)

What kind of ambiguous output is "may" and "?" I hold gpg to be a program
that would not be vague, and maybe it isn't, and it's just me who does not
understand. But what on earth might be the reason for giving an output
like that? What does it mean? How can I check further if it actually has
been revoked?


Thanks in advance for any helpful input. And forgive me if I can't see the
wood for the trees!

Stebe



More information about the Gnupg-users mailing list