Go to TogaWare.com Home Page.
GNU/Linux Desktop Survival Guide
by Graham Williams
Google

Package Archive Signatures


Version 0.6 of the apt tools began support for signing of the Release file to ensure integrity of the archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

You might get the following from an apt-get command:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

You can go ahead and install packages but you will get messages like:

  WARNING: The following packages cannot be authenticated!
    most
  Install these packages without verification [y/N]?

You can still install, if you wish!

Interacting with the apt-key system is simple, with just four commands: list, add, del, update. The list command will list the public keys that are currently accepted. The add command allows you to add a public key. This is the one we need first.

To obtain and install the key (the key may be the last 8 characters of the id that apt-get reports that it can not verify):

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

This should now not report any authority warnings (for at least this key).

You may have an issue with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the -noauth option.

  $ wajig --noauth distupgrade

The other option is to sign your Release files. Using wajig's MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:

  PKGCOMP='none gzip'
  SIGNINGKEY=Kayon.Toga@togaware.com

Then ensure Kayon Toga's secret key is available to the root user that runs the apt-move command. You can export the secret key (but do this carefully) with:

  $ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp

Then add this to root's keys:

  # gpg --import ktskexp

Now remove any passphrase so that the file can be singed in batch mode (required when running apt-move):

  # gpg --edit Kayon.Toga@togaware.com
  Command> passwd

So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.

Copyright © 1995-2014 Togaware Pty Ltd
Support further development through the purchase of the PDF version of the book.
Brought to you by Togaware.