[lug] apt-get: There is no public key available for the following key IDs

Jed S. Baer blug at jbaer.cotse.net
Wed Nov 16 19:26:26 MST 2016


On Wed, 16 Nov 2016 19:09:17 -0700
Tyler Cipriani wrote:

> >So, he self-signed his new key, and also signed it with his old key.
> >The old key has 2 signatures besides his self-sign, not himself. I
> >don't know how much this helps me, as I could go on for a long time
> >looking up keys and sigs. :)
> 
> Hrm. My assumption (may be a bad one) is that you would have the old key
> in your apt keychain -- installed via apt-add key at some point. And
> since you've installed software with the old key (and thereby trust it)
> you could verify the new key with the old key out of the apt keychain.

And yes, and that's what I did, but ...

Technically, I think I shouldn't "trust" a revoked key.

Hmmm, how, if at all, does key revocation work in the world of debian
package management? It appears that apt doesn't check for revocation.

When it comes to trust and public keys, it seems as if it's turtles all
the way down. :) (Meaning, I have not personally verified any of the
public keys on any keyring on my system.)


More information about the LUG mailing list