GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installing GNU/Linux Basic Survival Wajig Applications AI, Machine Learning, Data Science Android - GNU/Linux Devices Audio Backup Booting CD Chinese ChRoot Clock Cloud Computing Command Line Databases DIA Directories Disks Emacs EcoSysL Email Evolution Files File Systems Firewalls Floppy Disks FreedomBox Fonts Ghemical Glade GNOME Graphics, Images, Photos Hardware Initialisations on Booting Installation Examples IOT Java KDE Kernels Keyboard Konqueror KVM Switch LaTeX Log System Login Magellan MATE Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks NFS NT File System Oracle Packages Partitions Passwords PDF Power Management PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Screens Security Sketch Spell SPlus Spruce Spreadsheet SSH SUDO Swap Teradata Data Warehouse Themes TV Unity USB Version Control Video Virtualization Voice over IP World Wide Web WebCam WordPress Web Sites Word Processing and Printing X XML Troubleshooting Index

CLICK HERE TO VISIT THE UPDATED SURVIVAL GUIDE

Archive Signatures and Keys

20191217 The apt tool supports signing of a repository's Release file to ensure the integrity of a Debian/Ubuntu archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

The following from an apt-get command is often the first sign of a missing key:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

Packages can still be installed but messages like the following will be displayed:

  WARNING: The following packages cannot be authenticated!
    most
  Install these packages without verification [y/N]?

Interacting with the apt-key command is simple, with just a few sub-commands: list, add, del, update. The list command will list the public keys that are currently accepted and the add command allows a public key to be added. The key itself needs to be downloaded from a key server using gpg.

To download a key and install it locally the single adv command can be utilised (the key can be identified using the last 8 characters of the id that apt-get reports that it can not verify):

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 1F41B907

A more explicit specification of the keyserver may sometimes be required, often due to firewall restrictions:

  $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 1F41B907

Underneath the following three steps are undertaken:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

The warning report should now disappear (at least for this key/repository).

To list the keys and to delete keys if desired:

  $ apt-key list
  $ sudo apt-key del 1F41B907