Debian secure APT
April 13th 2006
The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.
First step, get signature of official Debian repositories:
# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update
Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:
W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems
It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:
gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY
This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:
gpg -a --export YYYYYYYY | apt-key add -
This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.
The info has been taken from the Debian Wiki.
Related posts
1 Comment »
Compiz Fusion under Debian Lenny on my laptop « handyfloss on 26 Nov 2007 at 13:58 pm #
[...] and I (of course) got an error telling me that some signatures couldn’t be verified (read my own article about secure APT and/or the wonderful Debian wiki to know more). I think the key is 11F6E468, and it corresponds to [...]