mkdebmirror problem

Dominik Kasprzyk dk at
Mon Jul 4 17:31:57 CEST 2005

You can fix this by importing the correct gpg keys for the Debian archive (if that is what you're using) with the following command:

gpg --recv-keys 38C6029A 4F368D5D

This grabs the Debian main and non-us keys and enables the gpg problem to be avoided.  You might also need the debian-keyring package for the command to work if gpg doesn't automatically grab them off the net.

If you run this command from a script on a newly installed system, be warned, the first run of gpg sets up its user files and does nothing.

Admittedly, the error should be bypassed by adding --ignore-relase-gpg as that's how I've got around it in the past so if you have it in there I'm a little confused as to why it's not working.  I do remember getting this error when getting the source I was copying from wrong (i.e. the relase files weren't where it thought they were so of course they didn't verify!) and in which case --ignore-missing-release should get you past that error onto others that might be more helpful, although I think it should complain about a missing packages file then aswell. 

Here's a link to a working version of a file we use to sync off a local department mirror (which syncs off which was based off the 2.7 mkdebmirror script just in case that helps you:

Sorry I can't be more helpful,


> Hi all,
> I've been working on this most of today, trying different mirroring 
> programs and not having much luck, so I thought i'd go back to 
> mkdebmirror and try and get some help. Hopefully it's user error and 
> easily fixed ;-)
> I've installed debmirror via apt, version "20050207", and i've modified 
> mkdebmirror to this:
> debug="$@"
> arch=i386
> dist=sarge,sarge-proposed-updates
> destdir=/mirror
> update_from
> update_from
> I've also added a '-v' in allopt=" because I was getting an error, namely:
> <snip>
> [0%] Getting: dists/sarge/Release
> [0%] Getting: dists/sarge/Release.gpg
> gpg: Signature made Mon Jun  6 12:22:54 2005 EST using DSA key ID 4F368D5D
> gpg: Can't check signature: public key not found
> Release signature does not verify.
> </snip>
> ..and then it jumps to the next update site and gives the same error 
> without downloading anything.
> I've put up the full error msg (to save your mailbox from excessive 
> spam) at
> mkdebmirror is straight from 
>, so the 
> allopt= line does contain --ignore-release-gpg so I can't see why this 
> is occuring.

More information about the linux-fai mailing list