The ebuild app-crypt/gentoo-keys has the keys 0xBB572E0E2D182910 and 0xDB6B8C1F96D8BF6D expired: gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --with-fingerprint --list-keys gpg: WARNING: unsafe permissions on homedir `/var/lib/gentoo/gkeys/keyrings/gentoo/release' /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg --------------------------------------------------------- pub 4096R/F6CD6C97 2014-10-03 [expires: 2017-09-17] Key fingerprint = D2DE 1DBB A0F4 3EBA 341B 97D8 8255 33CB F6CD 6C97 uid [ unknown] Gentoo-keys Team <gkeys@gentoo.org> sub 4096R/151C3FC7 2014-10-03 [expires: 2017-09-17] pub 1024D/17072058 2004-07-20 [expires: 2016-08-13] Key fingerprint = D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058 uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org> sub 2048g/1415B4ED 2004-07-20 [expires: 2016-08-13] pub 4096R/96D8BF6D 2011-11-25 [expired: 2015-11-24] Key fingerprint = DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D uid [ expired] Gentoo Portage Snapshot Signing Key (Automated Signing Key) pub 4096R/2D182910 2009-08-25 [expired: 2015-08-24] Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 uid [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
You need to use a newer mirror, as the keys have been updated already by infra, and uploaded to public keyservers. $ gpg --list-keys 0xBB572E0E2D182910 0xDB6B8C1F96D8BF6D pub rsa4096/0xBB572E0E2D182910 2009-08-25 [expires: 2017-08-25] uid [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> pub rsa4096/0xDB6B8C1F96D8BF6D 2011-11-25 [expires: 2016-07-01] uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key) sub rsa4096/0xEC590EEAC9189250 2011-11-25 [expires: 2016-07-01]
Sorry, but we have not automated the refreshing of the keyring yet. Plus it never occurred to me that the binary keyring needed updating after the resetting of some of those keys. if you have gkeys installed, (you might need gkeys-9999): gkeys refresh-key -C gentoo That will update all the keys in that category of keyrings. There is no need to re-install the gentoo-keys keyring. I'll refresh the binary keyring that is installed. I'll hopefully have the next version of gkeys out this weekend too. I just have a little more testing to do, plus make the cron jobs to install that will re-fresh the keyrings automatically.
OK, app-crypy/gentoo-keys-201511260245 is in the tree, replacing the old version. It will be available on the mirrors in the next few hours. You can update it with the ebuild or the method I described in the previous post.