Debian secure APT
The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.
First step, get signature of official Debian repositories:
# wget -http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
# aptitude update
Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:
W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems
It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:
gpg --keyserver pgpkeys.mit.edu --recv-key YYYYYYYY
This downloads the PGP key of that repository (from a trusted site, like mit.edu). Then you have to add it to your list of trusted keys:
gpg -a --export YYYYYYYY | apt-key add -
This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.
The info has been taken from the Debian Wiki.
Compiz Fusion under Debian Lenny on my laptop « handyfloss said,
November 26, 2007 @ 13:58 pm
[…] and I (of course) got an error telling me that some signatures couldn’t be verified (read my own article about secure APT and/or the wonderful Debian wiki to know more). I think the key is 11F6E468, and it corresponds to […]