6.42 Archive Signatures and Keys
20191217
The apt tool supports signing of a
repository’s Release
file to ensure the integrity of a
Debian/Ubuntu archive. The signature is contained in
Release.gpg
. The Release file is signed using a private key,
and a public key is then used to ensure the signature is correct.
The following from an apt-get command is often the first sign of a missing key:
W: GPG error: ftp://ftp.nerim.net unstable Release: The following
signatures couldn't be verified because the public key is not
available: NO_PUBKEY 07DC563D1F41B907
Packages can still be installed but messages like the following will be displayed:
WARNING: The following packages cannot be authenticated!
most
Install these packages without verification [y/N]?
Interacting with the -, apt, key command is simple, with just
a few sub-commands: list
, add
, del
,
update
. The list
command will list the public keys
that are currently accepted and the add
command allows a
public key to be added. The key itself needs to be downloaded from a
key server using gpg.
To download a key and install it locally the single adv
command can be utilised (the key can be identified using the last 8
characters of the id that apt-get reports that it can not verify):
A more explicit specification of the keyserver may sometimes be required, often due to firewall restrictions:
Underneath the following three steps are undertaken:
$ gpg --keyserver keyring.debian.org --recv-key 1F41B907
$ gpg --armor --export 1F41B907 | sudo apt-key add -
The warning report should now disappear (at least for this key/repository).
To list the keys and to delete keys if desired:
Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0