I have a catch 22 trying to:
# apt-get update
[... good lines omitted]
W: GPG error: http://backports.debian.org lenny-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
W: GPG error: http://http.us.debian.org stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
At http://wiki.debian.org/SecureApt#Other_problems it notes the NO_PUBKEY issue "means the archive has begun to be signed by a new key, which your system does not know about ... and once the system is fed the new key (by upgrading the debian-archive-keyring package), the warning will go away"
OK, but perversely:
apt-get install debian-archive-keyring
gives me:
WARNING: The following packages cannot be authenticated!
debian-archive-keyring
and the solution for that is to do an apt-get update
Can anyone break the cycle for me?
--
Note: my /etc/apt/sources.list is:
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://http.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org lenny/updates main contrib non-free
deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free
You are basically just experiencing the standard bootstrapping problem for public key cryptography.
There are many places you can download the public keys for the various archives, but frequently they are not provided over HTTPS, and any checksum files are delivered from the same location.
That wiki link you provided links off to https://ftp-master.debian.org/keys.html which has provides a copy of the keys you can download over SSL. The problem of course is that the cert for ftp-master.debian.org is signed by ca.debian.org, which is not distributed with the most common web browsers.
You basically just have to find a way to get a copy of debian-archive-keyring, or the current key from system that you trust, and the install it onto your system. If you are really paranoid, you might have to grab a copy of the archive, and have someone else grab a copy from another mirror on a different computer over a different network. Then compare the checksums.
If you are not extremely paranoid, or in a high security environment, then just let
apt-get install debian-archive-keyringinstall, and ignore the warning.It would take a lot of effort for someone to setup a MITM between you and the some random http.us.debian.org mirror. Once they did that, they would have to build their own custom debian-archive-keyring package including their evil key in addition to the standard keys. Then they would have to rebuild some packages to force you to install something evil onto your system. The effort involved would not be trivial.
Debian generally does a pretty good job adding keys that will be used to sign the packages in the future to the debian-archive-keyring package. That is one package, that you really want to keep up-to-date. That way, you will key the keys installed before they are used for signing things, and you won't have this problem in the future.
Your problem is that you didn't install debian-keyring as well. Simply run the following:
That's it.
Debian - Apt-get : NO_PUBKEY / GPG error
In computers based on a Debian operating system that uses Linux kernel, error messages may come up like 'NO_PUBKEY'.This happens while using the Apt-Get command line tool and this error is associated with the tool's update feature. The new feature in the Apt-Get package management tool guarantees the authenticity of the server before updating the Debian OS. That's why the error 'NO_PUBKEY' pops up. This problem can be solved by keying in the appropriate commands.
Simply type the following commands, taking care to replace the number below with that of the key that was displayed in the error message:
Two things:
Your sources.list file may be incorrect; are you sure those are the right lines for those repos?
You'll have to manually locate the Release.gpg files on those repos and update the keyring:
wget -q http://backports.debian.org/debian-backports/dists/squeeze-backports/Release.gpg -O -|apt-key add -You might be playing with fire by mixing lenny with the stable repo
The right thing to do is to not worry about getting the key to your machine securely, but being able to accurately check your trust path to the key once you have it on your machine. This means that you want to find a chain of signatures where your gpg key was used to sign someone's key that was used to sign someone's key... so that you eventually find someone that signed the archive key.
This would obviously be tedious if you were to try to do this by hand if you are more than a couple of steps away from the key. wotsap is a package which will help you discover paths from your key to the keys of the people that have directly signed the archive key.
This all is predicated on you having a gpg key and participating in gpg keysigning, which is absolutely essential if you want to really do this correctly.