How can I avoid GPG errors with apt 0.6 and above?

Since version 0.6 apt is checking for
packages signatures. If signatures are not known to apt errors like in the following example are produced.

W: GPG error: http://debian.hinterhof.net unstable/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0E41455F530F04D
W: GPG error: http://kempele.fi ./ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76755C2ABD7736A8
W: GPG error: http://www.tux.org sid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB5E459A529B8BDA
W: GPG error: ftp://ftp.nerim.net sarge Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: GPG error: ftp://ftp.nerim.net etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: GPG error: ftp://ftp.nerim.net sid Release: The
following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907

The signatures are included in the Release files, as the error message suggests. So if the public key is not known to GPG the above error messages are produced.

Getting everything right with signatures and apt seems to be still confusing to a lot of people including me. This article and the comments to it at Debian Administration gives an overview but also proofs that there is still need for more detail. Especially the connection between the package debian-keyring and apt and how the keys should enter /etc/apt/trusted.gpg are still quite unclear to me. Furthermore, at the time of writing this apt-key still seems to have some consitnecy bugs as described here. I believe there is still some development going on.

However, here’s how I got GPG quiet again. It’s basicly finding the keys on a keyserver or in a file provided by the keyholder, importing them into GPG and then exporting and piping them into apt-key. It should work with the keys after the NO_PUBKEY warning.

A good example is the repository at http://debian.hinterhof.net. Max Vozeler, the repository maintainer says:

I sign both repositories using key 1024D/F530F04D Automatic Signing Key (debian.hinterhof.net) (asc) which is signed with my Debian key 1024D/B7CDA2DC Max Vozeler (asc).

You can get the key by either asking a keyserver

#gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys F530F04D

or getting the file containing the key

#wget http://hinterhof.net/debian/archive-2005.asc
#gpg --import archive-2005.asc

Now you need to get the key into /etc/apt/trusted.
gpg
by using

#gpg --armor --export F530F04D | apt-key add -

Now GPG should not be complaining about this repository again.

Actions for the other repositorys are the same. Christian Marillat has some comments about his keys here. Some more comments on package signing are in the Securing Debian Manual.

Türchen auf und Kopf rauchen lassen

Den Adventskalender für diejenigen, die schon jetzt genug von Plätzchen, Stollen und Dominosteinen haben gibt es hier. Statt aus Staniolpapier auswickeln gibt es dort
Karopapier vollkritzeln, denn hinter jedem Türchen versteckt sich eine Aufgabe aus der Mathematik zwischen der 10. und 13. Klasse. Gewinnen kann man auch was, wenn man seine Aufgaben regelmäßig abgibt. Während ich das schreibe, verzweifle ich gerade am zweiten Türchen. Die erste Aufgabe war ja noch recht einfach, es handelte sich um Automaten, die sich gegenseitig beeinflussen. Heute gibt es allerdings eine Geometrieaufgabe aus der diskreten Differentialgeometrie, speziel dreht es sich um ein Kreispackungsproblem. Ehrlich gesagt ist mir das in der Schule nicht vorgekommen, und in der Uni auch nicht. Vielleicht sollte ich einfach mal googeln …