www1:~# aptitude update
Reading package lists... Done
Building dependency tree... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
Building tag database... Done
Get:1 http://ftp2.jp.debian.org sid Release.gpg [189B]
Hit http://ftp2.jp.debian.org sid Release
Err http://ftp2.jp.debian.org sid Release
Get:2 http://ftp2.jp.debian.org sid Release [38.3kB]
Get:3 http://ftp.debian-unofficial.org sid Release.gpg [191B]
Ign http://exodus.xmms.se stable Release.gpg
Ign http://ftp2.jp.debian.org sid Release
Ign http://debian.okey.net ./ Release.gpg
Hit http://ftp2.jp.debian.org sid/main Packages
Hit http://ftp.debian-unofficial.org sid Release
Ign http://exodus.xmms.se stable Release
Hit http://ftp2.jp.debian.org sid/non-free Packages
Hit http://ftp2.jp.debian.org sid/contrib Packages
Ign http://debian.okey.net ./ Release
Hit http://ftp.debian-unofficial.org sid/main Packages
Get:4 http://exodus.xmms.se stable/main Packages [2713B]
Hit http://ftp.debian-unofficial.org sid/contrib Packages
Hit http://ftp.debian-unofficial.org sid/non-free Packages
Hit http://debian.okey.net ./ Packages
Hit http://ftp.debian-unofficial.org sid/restricted Packages
Ign http://debian.ustc.edu.cn sid Release.gpg
Hit http://debian.ustc.edu.cn sid Release
Hit http://debian.ustc.edu.cn sid/marillat Packages
Hit http://debian.ustc.edu.cn sid/misc Packages
Hit http://debian.ustc.edu.cn sid/rareware Packages
Hit http://debian.ustc.edu.cn sid/ustc Packages
Fetched 41.2kB in 37s (1092B/s)
Reading package lists... Done
W: GPG error: http://ftp2.jp.debian.org sid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
W: You may want to run apt-get update to correct these problems
There is not yet a standard location where you can find the key for a given apt repository. There's a rough standard of putting the key up on the web page for the repository or as a file in the repository itself, but no real standard, so you might have to hunt for it.
The Debian archive signing key is available at http://ftp-master.debian.org/ziyi_key_2006.asc (replace 2006 with current year). ("ziyi" is apparently a name of a Chinese actress.)
gpg itself has a standard way to distribute keys, using a keyserver that gpg can download a key from and add it to its keyring. For example:
$ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F
gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpm [email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
You can then export that key from your own keyring and feed it to apt-key:
$ gpg -a --export 2D230C5F | sudo apt-key add -
gpg: no ultimately trusted keys found
OK
The "gpg: no ultimately trusted keys found" warning means that gpg was not configured to ultimately trust a specific key. Trust settings are part of OpenPGPs Web-of-Trust which does not apply here. So there is no problem with this warning. In usual setups the users own key is ultimately trusted.)