Go to TogaWare.com Home Page. GNU/Linux Desktop Survival Guide
by Graham Williams
Duck Duck Go

Archive Signatures and Keys

20191217 The apt tool supports signing of a repository's Release file to ensure the integrity of a Debian/Ubuntu archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

The following from an apt-get command is often the first sign of a missing key:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

Packages can still be installed but messages like the following will be displayed:

  WARNING: The following packages cannot be authenticated!
    most
  Install these packages without verification [y/N]?

Interacting with the apt-key command is simple, with just a few sub-commands: list, add, del, update. The list command will list the public keys that are currently accepted and the add command allows a public key to be added. The key itself needs to be downloaded from a key server using gpg.

To download a key and install it locally the single adv command can be utilised (the key can be identified using the last 8 characters of the id that apt-get reports that it can not verify):

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 1F41B907

A more explicit specification of the keyserver may sometimes be required, often due to firewall restrictions:

  $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 1F41B907

Underneath the following three steps are undertaken:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

The warning report should now disappear (at least for this key/repository).

To list the keys and to delete keys if desired:

  $ apt-key list
  $ sudo apt-key del 1F41B907

Copyright © 1995-2020 Togaware Pty Ltd
Support further development through the purchase of the PDF version of the book.
Graham Williams is the developer of open source software including rattle and wajig.
He is the author of Data Mining with Rattle and Essentials of Data Science.
This web site is hosted by Togaware, free and open source software since 1984.