Can't use Debian archive repositories, despite having installed debian-archive-keyring and debian-keyring

0

I'm trying to use some Debian Archive repositories in my sources.list, for testing purposes. I want to be able to search packages from Debian Sarge.

My sources.list looks like that:

# Stretch (Debian 9)

deb http://ftp.fr.debian.org/debian/ stretch main
deb-src http://ftp.fr.debian.org/debian/ stretch main
deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main
# stretch-updates, previously known as 'volatile'
deb http://ftp.fr.debian.org/debian/ stretch-updates main
deb-src http://ftp.fr.debian.org/debian/ stretch-updates main

# Jessie (Debian 8)

deb http://ftp.fr.debian.org/debian/ jessie main
deb-src http://ftp.fr.debian.org/debian/ jessie main
deb http://security.debian.org/debian-security jessie/updates main
deb-src http://security.debian.org/debian-security jessie/updates main

# Wheezy (Debian 7)

deb http://ftp.fr.debian.org/debian/ wheezy main
deb-src http://ftp.fr.debian.org/debian/ wheezy main
deb http://security.debian.org/debian-security wheezy/updates main
deb-src http://security.debian.org/debian-security wheezy/updates main

# Squeeze (Debian 6)
deb http://archive.debian.org/debian/ squeeze main non-free contrib
deb-src http://archive.debian.org/debian/ squeeze main non-free contrib
deb http://archive.debian.org/debian-security/ squeeze/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ squeeze/updates main non-free contrib

# Lenny (Debian 5)
deb http://archive.debian.org/debian/ lenny main non-free contrib
deb-src http://archive.debian.org/debian/ lenny main non-free contrib
deb http://archive.debian.org/debian-security/ lenny/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ lenny/updates main non-free contrib

# Etch (Debian 4)
deb http://archive.debian.org/debian/ etch main non-free contrib
deb-src http://archive.debian.org/debian/ etch main non-free contrib
deb http://archive.debian.org/debian-security/ etch/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ etch/updates main non-free contrib

# Sarge (Debian 3.1)
deb http://archive.debian.org/debian/ sarge main non-free contrib
deb-src http://archive.debian.org/debian/ sarge main non-free contrib
deb http://archive.debian.org/debian-security/ sarge/updates main non-free contrib
deb-src http://archive.debian.org/debian-security/ sarge/updates main non-free contrib

However, when I run apt update, I can't retrieve the packages from the Archive repositories (the stable/oldstable/oldoldstable repositories work fine, though), because of public key problems:

root@sandbox:~# apt update
Ign:1 http://ftp.fr.debian.org/debian stretch InRelease
Hit:2 http://ftp.fr.debian.org/debian stretch-updates InRelease
Ign:3 http://archive.debian.org/debian squeeze InRelease
Ign:4 http://ftp.fr.debian.org/debian jessie InRelease
Get:5 http://security.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Ign:6 http://ftp.fr.debian.org/debian wheezy InRelease
Ign:7 http://archive.debian.org/debian-security squeeze/updates InRelease
Hit:8 http://ftp.fr.debian.org/debian stretch Release
Hit:9 http://ftp.fr.debian.org/debian jessie Release
Hit:10 http://ftp.fr.debian.org/debian wheezy Release
Ign:11 http://archive.debian.org/debian lenny InRelease
Ign:12 http://archive.debian.org/debian-security lenny/updates InRelease
Ign:13 http://archive.debian.org/debian etch InRelease
Ign:14 http://archive.debian.org/debian-security etch/updates InRelease
Ign:15 http://archive.debian.org/debian sarge InRelease
Ign:17 http://archive.debian.org/debian-security sarge/updates InRelease
Hit:18 http://security.debian.org/debian-security jessie/updates InRelease
Get:19 http://archive.debian.org/debian squeeze Release [96.0 kB]
Hit:20 http://security.debian.org/debian-security wheezy/updates InRelease
Get:22 http://archive.debian.org/debian-security squeeze/updates Release [86.9 kB]
Get:23 http://archive.debian.org/debian lenny Release [99.6 kB]
Get:25 http://archive.debian.org/debian-security lenny/updates Release [92.4 kB]
Get:26 http://archive.debian.org/debian etch Release [67.8 kB]
Get:27 http://archive.debian.org/debian-security etch/updates Release [37.6 kB]
Get:28 http://archive.debian.org/debian sarge Release [34.6 kB]
Get:29 http://archive.debian.org/debian-security sarge/updates Release [40.7 kB]
Get:30 http://archive.debian.org/debian squeeze Release.gpg [1,655 B]
Get:31 http://archive.debian.org/debian-security squeeze/updates Release.gpg [836 B]
Get:32 http://archive.debian.org/debian lenny Release.gpg [1,034 B]
Get:33 http://archive.debian.org/debian-security lenny/updates Release.gpg [836 B]
Get:34 http://archive.debian.org/debian etch Release.gpg [1,033 B]
Get:35 http://archive.debian.org/debian-security etch/updates Release.gpg [835 B]
Get:36 http://archive.debian.org/debian sarge Release.gpg [378 B]
Get:37 http://archive.debian.org/debian-security sarge/updates Release.gpg [189 B]
Ign:30 http://archive.debian.org/debian squeeze Release.gpg
Ign:31 http://archive.debian.org/debian-security squeeze/updates Release.gpg
Ign:32 http://archive.debian.org/debian lenny Release.gpg
Ign:33 http://archive.debian.org/debian-security lenny/updates Release.gpg
Ign:34 http://archive.debian.org/debian etch Release.gpg
Ign:35 http://archive.debian.org/debian-security etch/updates Release.gpg
Ign:36 http://archive.debian.org/debian sarge Release.gpg
Ign:37 http://archive.debian.org/debian-security sarge/updates Release.gpg
Reading package lists... Done
W: GPG error: http://archive.debian.org/debian squeeze Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA NO_PUBKEY 64481591B98321F9
E: The repository 'http://archive.debian.org/debian squeeze Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security squeeze/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
E: The repository 'http://archive.debian.org/debian-security squeeze/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA NO_PUBKEY 4D270D06F42584E6
E: The repository 'http://archive.debian.org/debian lenny Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security lenny/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security lenny/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B NO_PUBKEY B5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian etch Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security etch/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security etch/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian sarge Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A70DAF536070D3A1 NO_PUBKEY B5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian sarge Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security sarge/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A70DAF536070D3A1
E: The repository 'http://archive.debian.org/debian-security sarge/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

All the resources talking about this suggest installing the debian-keyring and debian-archive-keyring packages, but I already have them and this does not seem to be doing anything.

Does anyone have a solution for that?

Ailothaen

Posted 2019-03-11T11:13:27.513

Reputation: 1

When you get that many versions apart, there's a good chance stuff won't work even if you load it. Also, there is very little maintenance in the old-stable repository, and virtually none in repositories older than that. So you risk loading stuff that has not been patched for security issues. – fixer1234 – 2019-03-11T14:59:38.157

That's actually the point of this: I want to install old packages to study the vulnerabilities in them. This is for a school project. – Ailothaen – 2019-03-12T07:52:48.423

Answers

1

From the article Fix Apt-get : NO_PUBKEY / GPG Error in Debian:

In computers based on a Debian operating system that uses Linux kernel, error messages similar to NO_PUBKEY may appear.This happens while using the Apt-Get command line tool, and this error is associated with the tool's update feature.

This problem can be solved by simply keying in the appropriate commands.

The suggested commands for this fix are (for key server pgpkeys.mit.edu):

gpg --keyserver pgpkeys.mit.edu --recv-key [key-name]
gpg -a --export [key-name] | sudo apt-key add -

The keys mentioned in your error messages are: AED4B06F473041FA, 64481591B98321F9, 4D270D06F42584E6, and others (seems like a lot).

Try this advice for one key and check if at least that one error message has now been resolved. If so, repeat for the other keys.

harrymc

Posted 2019-03-11T11:13:27.513

Reputation: 306 093

Just did that one, but replacing the server with pool.sks-keyservers.net, as the MIT one seems to be down. Ran the commands with all the keys without problems, and instead of the "key not found" error, I'm getting that one: W: GPG error: http://archive.debian.org/debian squeeze Release: The following signatures were invalid: EXPKEYSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org> EXPKEYSIG 64481591B98321F9 Squeeze Stable Release Key <debian-release@lists.debian.org> – Ailothaen – 2019-03-11T13:31:21.913

The key AED4B06F473041FA seems to be missing. – harrymc – 2019-03-11T13:36:05.710

No, actually the key AED4B06F473041FA is not missing. The message I pasted is only for the first repository, here is the full message: https://pastebin.com/gKhdduYT

– Ailothaen – 2019-03-11T13:59:06.767

Try apt-get with --allow-unauthenticated. See link.

– harrymc – 2019-03-11T14:34:37.397

--allow-unauthenticated did not do anything special. However, I tried adding [trusted=yes] after the deb and deb-src on each line, and despite the gpg errors remain, the packages are obtained. But I'd still want to find the cause of this, as putting [trusted=yes] everywhere does not sound a healthy option. – Ailothaen – 2019-03-11T15:04:39.783

Asked: 2019-03-11T11:13:27.513

Viewed: 1 057 times

Active: 2019-03-11T13:36:27.477