Impossible d'utiliser les dépôts Debian Archive

Tags: #<Tag:0x00007f58cf39c590>

Bonjour,

Je cherche à utiliser les dépôts Debian Archive dans mon fichier sources.list, car j’ai besoin d’utiliser des anciennes versions de certains paquets (à des fins de tests pour un lab sécurité et vulnérabilités)
Par Debian Archive, j’entends les dépôts de Squeeze (actuellement) et de tout ce qu’il y a dessous, comme décrit sur cette page : https://www.debian.org/distrib/archive.fr.html

Voulant “ratisser large”, j’ai un fichier sources.list qui ressemble à cela : https://pastebin.com/eM95JT8w
J’ai également installé les paquets debian-keyring et debian-archive-keyring.

Cependant, en essayant un apt update, il m’est impossible de récupérer les paquets :

root@sandbox:~# apt update
Ign:1 http://ftp.fr.debian.org/debian stretch InRelease
Hit:2 http://ftp.fr.debian.org/debian stretch-updates InRelease
Ign:3 http://archive.debian.org/debian squeeze InRelease
Ign:4 http://ftp.fr.debian.org/debian jessie InRelease
Get:5 http://security.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Ign:6 http://ftp.fr.debian.org/debian wheezy InRelease
Ign:7 http://archive.debian.org/debian-security squeeze/updates InRelease
Hit:8 http://ftp.fr.debian.org/debian stretch Release
Hit:9 http://ftp.fr.debian.org/debian jessie Release
Hit:10 http://ftp.fr.debian.org/debian wheezy Release
Ign:11 http://archive.debian.org/debian lenny InRelease
Ign:12 http://archive.debian.org/debian-security lenny/updates InRelease
Ign:13 http://archive.debian.org/debian etch InRelease
Ign:14 http://archive.debian.org/debian-security etch/updates InRelease
Ign:15 http://archive.debian.org/debian sarge InRelease
Ign:17 http://archive.debian.org/debian-security sarge/updates InRelease
Hit:18 http://security.debian.org/debian-security jessie/updates InRelease
Get:19 http://archive.debian.org/debian squeeze Release [96.0 kB]
Hit:20 http://security.debian.org/debian-security wheezy/updates InRelease
Get:22 http://archive.debian.org/debian-security squeeze/updates Release [86.9 kB]
Get:23 http://archive.debian.org/debian lenny Release [99.6 kB]
Get:25 http://archive.debian.org/debian-security lenny/updates Release [92.4 kB]
Get:26 http://archive.debian.org/debian etch Release [67.8 kB]
Get:27 http://archive.debian.org/debian-security etch/updates Release [37.6 kB]
Get:28 http://archive.debian.org/debian sarge Release [34.6 kB]
Get:29 http://archive.debian.org/debian-security sarge/updates Release [40.7 kB]
Get:30 http://archive.debian.org/debian squeeze Release.gpg [1,655 B]
Get:31 http://archive.debian.org/debian-security squeeze/updates Release.gpg [836 B]
Get:32 http://archive.debian.org/debian lenny Release.gpg [1,034 B]
Get:33 http://archive.debian.org/debian-security lenny/updates Release.gpg [836 B]
Get:34 http://archive.debian.org/debian etch Release.gpg [1,033 B]
Get:35 http://archive.debian.org/debian-security etch/updates Release.gpg [835 B]
Get:36 http://archive.debian.org/debian sarge Release.gpg [378 B]
Get:37 http://archive.debian.org/debian-security sarge/updates Release.gpg [189 B]
Ign:30 http://archive.debian.org/debian squeeze Release.gpg
Ign:31 http://archive.debian.org/debian-security squeeze/updates Release.gpg
Ign:32 http://archive.debian.org/debian lenny Release.gpg
Ign:33 http://archive.debian.org/debian-security lenny/updates Release.gpg
Ign:34 http://archive.debian.org/debian etch Release.gpg
Ign:35 http://archive.debian.org/debian-security etch/updates Release.gpg
Ign:36 http://archive.debian.org/debian sarge Release.gpg
Ign:37 http://archive.debian.org/debian-security sarge/updates Release.gpg
Reading package lists... Done
W: GPG error: http://archive.debian.org/debian squeeze Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA NO_PUBKEY 64481591B98321F9
E: The repository 'http://archive.debian.org/debian squeeze Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security squeeze/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
E: The repository 'http://archive.debian.org/debian-security squeeze/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA NO_PUBKEY 4D270D06F42584E6
E: The repository 'http://archive.debian.org/debian lenny Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security lenny/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security lenny/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B NO_PUBKEY B5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian etch Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security etch/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security etch/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian sarge Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A70DAF536070D3A1 NO_PUBKEY B5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian sarge Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security sarge/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A70DAF536070D3A1
E: The repository 'http://archive.debian.org/debian-security sarge/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

J’ai essayé d’importer toutes les clés publiques listées dans le message avec ce type de commande :

gpg --keyserver sks-keyservers.net --recv-key 64481591B98321F9
gpg -a --export 64481591B98321F9 | apt-key add -

Mais dans ce cas, une autre erreur apparaît :

[...]
Ign:34 http://archive.debian.org/debian etch Release.gpg
Ign:35 http://archive.debian.org/debian-security etch/updates Release.gpg
Ign:36 http://archive.debian.org/debian sarge Release.gpg
Ign:37 http://archive.debian.org/debian-security sarge/updates Release.gpg
Reading package lists... Done
W: GPG error: http://archive.debian.org/debian squeeze Release: The following signatures were invalid: EXPKEYSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org> EXPKEYSIG 64481591B98321F9 Squeeze Stable Release Key <debian-release@lists.debian.org>
E: The repository 'http://archive.debian.org/debian squeeze Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security squeeze/updates Release: The following signatures were invalid: EXPKEYSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
E: The repository 'http://archive.debian.org/debian-security squeeze/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian lenny Release: The following signatures were invalid: EXPKEYSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org> 9FED2BCBDCD29CDF762678CBAED4B06F473041FA EXPKEYSIG 4D270D06F42584E6 Lenny Stable Release Key <debian-release@lists.debian.org> 7F5A44454C724A65CBCD4FB14D270D06F42584E6
E: The repository 'http://archive.debian.org/debian lenny Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security lenny/updates Release: The following signatures were invalid: EXPKEYSIG 9AA38DCD55BE302B Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org> 150C8614919D8446E01E83AF9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security lenny/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian etch Release: The following signatures were invalid: EXPKEYSIG 9AA38DCD55BE302B Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org> 150C8614919D8446E01E83AF9AA38DCD55BE302B 7EA391D72477203B58C04FBCB5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian etch Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security etch/updates Release: The following signatures were invalid: EXPKEYSIG 9AA38DCD55BE302B Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org> 150C8614919D8446E01E83AF9AA38DCD55BE302B
E: The repository 'http://archive.debian.org/debian-security etch/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian sarge Release: The following signatures were invalid: EXPKEYSIG A70DAF536070D3A1 Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org> A99951DAF9BB569BDB50AD90A70DAF536070D3A1 7EA391D72477203B58C04FBCB5D0C804ADB11277
E: The repository 'http://archive.debian.org/debian sarge Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.debian.org/debian-security sarge/updates Release: The following signatures were invalid: EXPKEYSIG A70DAF536070D3A1 Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org> A99951DAF9BB569BDB50AD90A70DAF536070D3A1
E: The repository 'http://archive.debian.org/debian-security sarge/updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

À ce point-là, je ne comprends donc pas trop ce que je peux faire. On dirait que personne d’autre n’a le même problème que moi, et la documentation de Debian dont j’ai mis le lien ci-dessus ne mentionne rien de particulier, et ne parle même pas de debian-archive-keyring (supposé être installé pour que les anciens dépôts marchent).
À noter que si j’écris [trusted=yes] après deb et deb-src, des messages d’avertissement apparaissent mais j’ai accès à la liste des paquets. Mais j’aimerais tout de même pouvoir obtenir les paquets “normalement”.

Merci d’avance :owl:

Déjà, ton debian-archive-keyring a peut être aussi ses versions, et suivant les archives, ça peut être des vieilles clés différentes qui sont utilisées sur des vielles archives non ajustées avec les nouvelles clés, et qui ne sont plus dans le paquet: d’ou le premier problème avec des clés non reconnues (qui n’existent plus dans les keyrings que tu as).
Certaines des clés que tu tentes d’importer peuvent aussi avoir été révoquées en route, ce qui doit expliquer ta deuxième série de problèmes avec des clés “invalid”.
Pour le fait que personne ne dise rien, c’est peut être que vous êtes trop rares à exploiter à fond les plus vieilles archives, donc personne n’a rien remarqué ?

AMA, tu vas devoir te passer de la sécurité sur les dépôts avec ton [trusted=yes], ou valider que c’est bien une erreur avec debian-archive, et leur faire installer de nouvelles clés sur les plus vieux dépôts.

Tu peux vérifier si des clés sont expirées

apt-key list

Ceci dit dans des dépots archivés, par définition il n’y a pas de mise à jour, ça sert surtout à aller pêcher des vieux logiciels inexistant dans les nouvelles versions
Donc pour une utilisation manuelle et au coup par coup de apt

salut
à ta place je ferais plusieurs systèmes ( virtualisation :docker, virtualbox ou une clé usb bootable persistente … )

1 J'aime