Debian secure APT

The APT package management tool has a GPG signature checking system I keep forgeting how to configure in new Debian installs. This post is simply a reminder.

First step, get signature of official Debian repositories:

# wget - -O - | apt-key add -
# aptitude update

Then, if we have other (non-official) repositories, the “aptitude update” above will give us errors like:

W: GPG error: http:whatever Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXYYYYYYYY W: You may want to run apt-get update to correct these problems

It means that repository “http://whatever” has a signature that is not in the list of your trusted signatures. From the “XXXXXXXXYYYYYYYY” number, take the last 8 digits (the Ys), and do the following:

gpg --keyserver --recv-key YYYYYYYY

This downloads the PGP key of that repository (from a trusted site, like Then you have to add it to your list of trusted keys:

gpg -a --export YYYYYYYY | apt-key add -

This last bit will output “gpg: no ultimately trusted keys found”, followed by an “OK”. You can safely ignore the warning. The procedure worked.

The info has been taken from the Debian Wiki.

1 Comment »

  1. Compiz Fusion under Debian Lenny on my laptop « handyfloss said,

    November 26, 2007 @ 13:58 pm

    […] and I (of course) got an error telling me that some signatures couldn’t be verified (read my own article about secure APT and/or the wonderful Debian wiki to know more). I think the key is 11F6E468, and it corresponds to […]

RSS feed for comments on this post · TrackBack URI

Leave a Comment