Home / server / Questions / 984604
In Process
ThorSummoner
Asked: 2019-09-18 12:38:01 +0800 CST

debootstrap "Release signed by unknown key"

  • 772
# debootstrap  buster /srv/buster
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id DCC9EFBF77E11517)

Where do I get this release key, and How do I add this release key to the debootstrap trust?

debian

1 Answers

    • Where to get the release key? The debian archive keyring server:

      https://ftp-master.debian.org/keys.html

    • How to make debootstrap trust this release key:

      Make a new keyring, and inform deboostrap to use it:

      wget https://ftp-master.debian.org/keys/release-10.asc -qO- | gpg --import --no-default-keyring --keyring ./debian-release-10.gpg
debootstrap --keyring=./debian-release-10.gpg buster /srv/buster

      Compatibility Note:

      I found that using a gpg2 keyring would not work due to debootstrap using gpgv under the hood, which uses a gpg1 database version. I recreated by gpg database like so from the , note that gpg is gpg 1.x.x not gpg 2.x.x or newer at time of writing:

    If deboostrap were updated to use gpg --verify instead of gpgv, I would imagine gpg2 could be used as a drop-in replacement - But I cannot be certain.

    • 7