I've discovered that if the package comes from the repo, signed with an unknown key, YUM tries to re-obtain the key using the link provided.If the new key could be downloaded with the old link, it will be added to rpmdb.
The recipient can decrypt the message even without having the public key of the sender, that key is required just in case of wanting to reply, or to check the signature of the message.
I think downloading they keys one by one, is usually the correct way, because most people operate with public keyservers, and of course, they just want the keys of people they know.
GPG error: In Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2EW: Failed to fetch ... /In Release W: Some index files failed to download. E: Unable to synchronize mmap - msync (5: Input/output error)E: Failed to truncate file - ftruncate (30: Read-only file system)E: Problem renaming the file /var/cache/apt/
BU01D3 to /var/cache/apt/- rename (30: Read-only file system)E: The package lists or status file could not be parsed or opened.
This is commonly called "secure apt" (or "apt-secure") and was implemented in Apt version 0.6 in 2003, which Debian migrated to in 2005.
Since the documentation (here and here) is fairly slim on how this all works from an administrator's point of view, this document will try to explain in detail how secure apt works and how to use it.Get:1 In Release [7,737 B]Get:2 In Release [12.5 k B]Err In Release Err In Release Fetched 20.2 k B in 0s (75.4 k B/s)Reading package lists... W: A error occurred during the signature [email protected], looks like that's not the only event.This article discusses things at a relatively high level.For details on the format of the files Debian repositories please refer to the Debian Repository/Format page.Although, the old key is still remains in the database and could verify the packages.