I have a mirror where Debian and Ubuntu packages are hosted, so people in the internal network can upgrade their software using this mirror. But the other day I realized it couldn’t sync against the Debian mirror, as described in the article How to build Debian and Ubuntu mirrors using debmirror. When I tried to run the sync script I got an error and it exited with errors.
When running debmirror script, it fails with a error similar to this one:
gpgv: Signature made Wed 17 Jul 2013 04:40:31 PM CST using RSA key ID 473041FA [GNUPG:] ERRSIG AED4B06F473041FA 1 2 00 1374050431 9 [GNUPG:] NO_PUBKEY AED4B06F473041FA gpgv: Can’t check signature: public key not found gpgv: Signature made Wed 17 Jul 2013 04:40:31 PM CST using RSA key ID 46925553 [GNUPG:] ERRSIG 8B48AD6246925553 1 2 00 1374050431 9 [GNUPG:] NO_PUBKEY 8B48AD6246925553 gpgv: Can’t check signature: public key not found Release signature does not verify
Packages are validated using a key, so we can trust what we are downloading from the source repo and what will installed on our computers. Some repositories have a keyring with known keys, and it’s likely that a new key signature was added to the Debian/Ubuntu keyring. This can occur if there is new distro version, and new keys were added, making our keyring out of date (the new keys are missing).
In order to fix this issue, follow the next steps depending on the distro you are mirroring:
Update the repository and import the new keys:
aptitude update aptitude safe-upgrade gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring /var/data/keyrings/debian/trustedkeys.gpg --import
Side note: If no keys were added, download the latest debian-archive-keyring package from the repositories, extract it and use those keyrings. Example:
wget http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2012.4_all.deb dpkg -x debian-archive-keyring_2012.4_all.deb ~ gpg --keyring ~/usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring /var/data/keyrings/debian/trustedkeys.gpg --import
Download the latest ubuntu-archive-keyring package and extract it, later use the those keyrings . Example:
wget http://mirror.pnl.gov/ubuntu//pool/main/u/ubuntu-keyring/ubuntu-keyring_2012.05.19_all.deb dpkg -x ubuntu-keyring_2012.05.19_all.deb ~ gpg --keyring ~/usr/share/keyrings/ubuntu-archive-keyring.gpg --export|gpg --no-default-keyring --keyring /var/data/keyrings/ubuntu/trustedkeys.gpg --import
After this procedure, the sync script will run without problems and it will downloaded the latest updates.