I have a catch 22 trying to:
# apt-get update
[... good lines omitted]
W: GPG error: http://backports.debian.org lenny-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
W: GPG error: http://http.us.debian.org stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
At http://wiki.debian.org/SecureApt#Other_problems it notes the NO_PUBKEY issue "means the archive has begun to be signed by a new key, which your system does not know about … and once the system is fed the new key (by upgrading the debian-archive-keyring package), the warning will go away"
OK, but perversely:
apt-get install debian-archive-keyring
gives me:
WARNING: The following packages cannot be authenticated!
debian-archive-keyring
and the solution for that is to do an apt-get update
Can anyone break the cycle for me?
—
Note: my /etc/apt/sources.list is:
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://http.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org lenny/updates main contrib non-free
deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free
Best Answer
You are basically just experiencing the standard bootstrapping problem for public key cryptography.
There are many places you can download the public keys for the various archives, but frequently they are not provided over HTTPS, and any checksum files are delivered from the same location.
That wiki link you provided links off to https://ftp-master.debian.org/keys.html which has provides a copy of the keys you can download over SSL. The problem of course is that the cert for ftp-master.debian.org is signed by ca.debian.org, which is not distributed with the most common web browsers.
You basically just have to find a way to get a copy of debian-archive-keyring, or the current key from system that you trust, and the install it onto your system. If you are really paranoid, you might have to grab a copy of the archive, and have someone else grab a copy from another mirror on a different computer over a different network. Then compare the checksums.
If you are not extremely paranoid, or in a high security environment, then just let
apt-get install debian-archive-keyringinstall, and ignore the warning.It would take a lot of effort for someone to setup a MITM between you and the some random http.us.debian.org mirror. Once they did that, they would have to build their own custom debian-archive-keyring package including their evil key in addition to the standard keys. Then they would have to rebuild some packages to force you to install something evil onto your system. The effort involved would not be trivial.
Debian generally does a pretty good job adding keys that will be used to sign the packages in the future to the debian-archive-keyring package. That is one package, that you really want to keep up-to-date. That way, you will key the keys installed before they are used for signing things, and you won't have this problem in the future.