http://security.debian.org lenny/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
as it turns out this is because GPG key expired
This key rollover is a normal maintenance task and was started in August 2010. For security reasons Debian’s archive signing keys regularly expire after three years.
update the keys by
sudo aptitude install debian-archive-keyring