Package Archive Signatures
| |
Version 0.6 of the apt tools began support for signing
of the Release file to ensure integrity of the archive. The
signature is contained in Release.gpg. The Release file is
signed using a private key, and a public key is then used to ensure
the signature is correct.
You might get the following from an apt-get command:
W: GPG error: ftp://ftp.nerim.net unstable Release: The following
signatures couldn't be verified because the public key is not
available: NO_PUBKEY 07DC563D1F41B907
|
You can go ahead and install packages but you will get messages like:
WARNING: The following packages cannot be authenticated!
most
Install these packages without verification [y/N]?
|
You can still install, if you wish!
Interacting with the apt-key system is simple, with just four
commands: list, add, del, update. The list command will list the
public keys that are currently accepted. The add command allows you to
add a public key. This is the one we need first.
To obtain and install the key:
$ gpg --keyserver keyring.debian.org --recv-key 1F41B907
$ gpg --armor --export 1F41B907 | sudo apt-key add -
|
This should now not report any authority warnings (for at least this
key).
You may have an issue with a locally managed archive that is not
signed. Even though the AVAIL command will identify that the local
archive has preference when it comes to obtaining a package that is
available from multiple archives, an authorised archive will always be
used in preference. Two solutions are possible. One is to tell
wajig not to preference authoritative archives by using
the -noauth option.
$ wajig --noauth distupgrade
|
The other option is to sign your Release files. Using
wajig's MOVE command requires some setting up to have the
Release.gpg file created. First, tell
apt-move to create the file (and also to maintain both
compressed and uncompressed Package files - a requirement of the
current apt version) in the configuration file
/etc/apt-move.conf:
Then ensure Kayon Toga's secret key is available to the
root user that runs the apt-move
command. You can export the secret key (but do this carefully) with:
Then add this to root's keys:
Now remove any passphrase so that the file can be singed in batch mode
(required when running apt-move):
So now apt-move can sign the Release file unattended.
Further explanation is available from
https://wiki.debian.org/SecureApt.
Copyright © 1995-2006 [email protected]
|