debmirror fails to properly check Release(.gpg)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
debmirror (Ubuntu) |
Fix Released
|
Undecided
|
Kees Cook |
Bug Description
Binary package hint: debmirror
debmirror seems to not properly verify Release and Release.gpg as below:
bluefox@
Mirroring to /media/
Arches: i386
Dists: edgy,edgy-
Sections: main,restricted
Passive mode on.
Will clean up AFTER mirroring.
Pdiff mode: use.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Keeping: dists/edgy/Release
[0%] Keeping: dists/edgy/
gpg: Signature made Wed 25 Oct 2006 01:13:17 PM EDT using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-
[0%] Keeping: dists/edgy-
gpg: Signature made Wed 07 Mar 2007 09:40:12 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-
[0%] Keeping: dists/edgy-
gpg: Signature made Tue 06 Mar 2007 04:30:39 AM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-
[0%] Keeping: dists/edgy-
gpg: Signature made Wed 07 Mar 2007 09:40:12 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
[0%] Keeping: dists/edgy-
[0%] Keeping: dists/edgy-
gpg: Signature made Wed 07 Mar 2007 02:31:39 PM EST using DSA key ID 437D05B5
gpg: Can't check signature: public key not found
Release signature does not verify.
Errors:
Release signature does not verify.
Release signature does not verify.
Release signature does not verify.
Release signature does not verify.
Release signature does not verify.
Failed to download some Release or Release.gpg files!
WARNING: releasing 1 pending lock...
It seems to download them to .temp/ instead of ./ and then verify ./.
As a work-around, skip those:
bluefox@
I'm told this is a failing on my part to get the proper gpg keys. Perhaps debmirror should ask something like:
!!! Warning: You don't have the gpg public key for this. Download key ID 437D05B5 [y/N]?
And then I hit Y and it downloads it (and tells me it can't find it, yay) and life goes on.
In short, move this to wishlist or something.