Debian secure APT
Posted by isilanes on April 13, 2006
The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.
First step, get signature of official Debian repositories:
# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update
Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:
W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems
It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:
gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY
This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:
gpg -a --export YYYYYYYY | apt-key add -
This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.
The info has been taken from the Debian Wiki.
This entry was posted on April 13, 2006 at 5:09 pm and is filed under Free software and related beasts. Tagged: debian, en, floss/linux, security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.