debootstrap "Release signed by unknown key"

Question

# debootstrap  buster /srv/buster
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id DCC9EFBF77E11517)

Where do I get this release key, and How do I add this release key to the debootstrap trust?

score 7 · Answer 1 · answered Sep 17 '19 at 20:38

Where to get the release key? The debian archive keyring server:

https://ftp-master.debian.org/keys.html
How to make debootstrap trust this release key:

Make a new keyring, and inform deboostrap to use it:
```
wget https://ftp-master.debian.org/keys/release-10.asc -qO- | gpg --import --no-default-keyring --keyring ./debian-release-10.gpg
debootstrap --keyring=./debian-release-10.gpg buster /srv/buster
```
Compatibility Note:

I found that using a gpg2 keyring would not work due to debootstrap using gpgv under the hood, which uses a gpg1 database version. I recreated by gpg database like so from the , note that gpg is gpg 1.x.x not gpg 2.x.x or newer at time of writing:

If deboostrap were updated to use gpg --verify instead of gpgv, I would imagine gpg2 could be used as a drop-in replacement - But I cannot be certain.

debootstrap "Release signed by unknown key"

1 Answers1

Compatibility Note: