Debian secure APT

The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.

First step, get signature of official Debian repositories:

# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update

Then, if we have other (non-official) repositories, the "aptitude update" above will give us errors like:

W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems

It means that repository "http://whatever" has a signature that is not in the list of your trusted signatures. From the "XXXXXXXXYYYYYYYY" number, take the last 8 digits (the Ys), and do the following:

gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY

This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:

gpg -a --export YYYYYYYY | apt-key add -

This last bit will output "gpg: no ultimately trusted keys found", followed by an "OK". You can safely ignore the warning. The procedure worked.

The info has been taken from the Debian Wiki.

One thought on “Debian secure APT

  1. Pingback: Compiz Fusion under Debian Lenny on my laptop « handyfloss

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe without commenting