Go to TogaWare.com Home Page. GNU/Linux Desktop Survival Guide
by Graham Williams
Duck Duck Go

Package Archive Signatures

The apt tool support signing of the Release file to ensure the integrity of the archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

You might get the following from an apt-get command:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

You can go ahead and install packages but you will get messages like:

  WARNING: The following packages cannot be authenticated!
  Install these packages without verification [y/N]?

Interacting with the apt-key system is simple, with just four commands: list, add, del, update. The list command will list the public keys that are currently accepted. The add command allows you to add a public key. This is the one we need first.

To obtain and install the key (the key can be identified using the last 8 characters of the id that apt-get reports that it can not verify):

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 1F41B907

Underneath the following three steps are undertaken:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

The warning report should now not appear (at least for this key/repository).

We can list the keys and delete keys as desired:

  $ apt-key list
  $ sudo apt-key del 1F41B907

You may have an issue with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the --noauth option.

  $ wajig --noauth distupgrade

The other option is to sign your Release files. Using wajig's MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:

  PKGCOMP='none gzip'

Then ensure Kayon Toga's secret key is available to the root user that runs the apt-move command. You can export the secret key (but do this carefully) with:

  $ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp

Then add this to root's keys:

  # gpg --import ktskexp

Now remove any passphrase so that the file can be singed in batch mode (required when running apt-move):

  # gpg --edit Kayon.Toga@togaware.com
  Command> passwd

So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.

Copyright © 1995-2019 Togaware Pty Ltd
Support further development through the purchase of the PDF version of the book.
Brought to you by Togaware and the author of open source software including Rattle and wajig.
Also the author of Data Mining with Rattle and Essentials of Data Science.