Update server time before updating package list on init
= updating package list - [donkey.unstable.bitmask.net] Get:1 http://ftp.us.debian.org wheezy Release.gpg [2,390 B] - [donkey.unstable.bitmask.net] Get:2 http://ftp.us.debian.org wheezy Release [168 kB] - [donkey.unstable.bitmask.net] Get:3 http://security.debian.org wheezy/updates Release.gpg [1,554 B] - [donkey.unstable.bitmask.net] Get:4 http://security.debian.org wheezy/updates Release [102 kB] - [donkey.unstable.bitmask.net] Get:5 http://ftp.us.debian.org wheezy/main amd64 Packages [5,841 kB] - [donkey.unstable.bitmask.net] Get:6 http://security.debian.org wheezy/updates/main amd64 Packages [311 kB] - [donkey.unstable.bitmask.net] Fetched 6,426 kB in 2s (2,324 kB/s) - [donkey.unstable.bitmask.net] Reading package lists... - [donkey.unstable.bitmask.net] W: There is no public key available for the following key IDs: - [donkey.unstable.bitmask.net] 7638D0442B90D010 - [donkey.unstable.bitmask.net] W: There is no public key available for the following key IDs: - [donkey.unstable.bitmask.net] 9D6D8F6BC857C906 = updating server time
Theoretically it's possible that an expired key isn't seen as such when first starting from an old(er) machine (image). (You could argue that a bug could have been fixed in a more up-to-date ntp-client)
(from redmine: created on 2015-06-25)