GNU/Linux Desktop Survival Guide by Graham Williams |
|||||
Package Archive Signatures |
Version 0.6 of the apt tools began support for signing of the Release file to ensure integrity of the archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.
You might get the following from an apt-get command:
W: GPG error: ftp://ftp.nerim.net unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907 |
You can go ahead and install packages but you will get messages like:
WARNING: The following packages cannot be authenticated! most Install these packages without verification [y/N]? |
Interacting with the apt-key system is simple, with just four commands: list, add, del, update. The list command will list the public keys that are currently accepted. The add command allows you to add a public key. This is the one we need first.
To obtain and install the key:
$ gpg --keyserver keyring.debian.org --recv-key 1F41B907 $ gpg --armor --export 1F41B907 | sudo apt-key add - |
This should now not report any authority warnings (for at least this key).
You may have an issue with a locally managed archive that is not
signed. Even though the AVAIL command will identify that the local
archive has preference when it comes to obtaining a package that is
available from multiple archives, an authorised archive will always be
used in preference. Two solutions are possible. One is to tell
wajig not to preference authoritative archives by using
the -noauth option.
$ wajig --noauth distupgrade |
PKGCOMP='none gzip' SIGNINGKEY=Kayon.Toga@togaware.com |
$ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp |
# gpg --import ktskexp |
# gpg --edit Kayon.Toga@togaware.com Command> passwd |
Further explanation is available from http://wiki.debian.org/SecureApt.
Copyright © 1995-2006 Graham.Williams@togaware.com