Using the GPG signature checking with apt 0.6
Posted by Steve on Fri 1 Jul 2005 at 02:00
If you're running a Debian Unstable installation you'll likely have noticed that new package installations, and upgrades, are now prompting for confirmation - warning about package checking. This is because the most recent version of APT supports checking package signatures with GPG.
GNU Privacy Guard is a popular public-key encryption package, which amongst other things allows signatures to be made of files. These signatures allows people to detect tampering, due to either malicious actions or network errors, in much the same way as hashes such as MD5 and SHA-1 do.
This change has been a long time coming, since the original announcement in 2004.
The most recent versions of the apt package support testing all downloaded packages to make sure their signatures are valid.
This is a useful thing, as it provides reasonable certainty that the packages you're downloading are the packages you were intended to get.
If you're in this situation you'll see a prompt such as this one when installing packages, or performing upgrades:
skx@mystery:~$ sudo apt-get install pyzor Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: python-gdbm python2.3-gdbm The following NEW packages will be installed: python-gdbm python2.3-gdbm pyzor 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 69.1kB of archives. After unpacking 229kB of additional disk space will be used. Do you want to continue [Y/n]? y WARNING: The following packages cannot be authenticated! python2.3-gdbm python-gdbm pyzor Install these packages without verification [y/N]? y
You have a couple of choices when you see this notice:
- Accept the prompt as a distraction or annoyance and proceed to install them without checking.
- Install the appropriate key to make sure the packages you've downloaded are as intended.
If you decide that you don't care to validate your packages you've can either answer "y" to ignore the warning, or use one of the new options:
apt-get --allow-unauthenticated install packagename
If you don't wish to add this flag each time you can store the following text inside /etc/apt/apt.conf (creating that file if it's missing):
APT::Get::AllowUnauthenticated 1 ;
If you do wish to avoid potential corruption, or malicious uploads then you need to have two things:
- The gnupg package installed.
- The relevent public key for testing against.
If you don't have the security software you can install it as follows:
apt-get install gnupg
Once that's done you can either download the public key by running:
root@mystery:~# gpg --keyserver keyring.debian.org --recv 4F368D5D gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key 4F368D5D from hkp server keyring.debian.org gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) email@example.com" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file "ziyi_key_2005.asc".
Download this and import it as follows:
root@mystery:~# cat ziyi_key_2005.asc | gpg --import
Once this is imported to the root's keyring APT will use it when installing packages, as you can see with this example:
root@mystery:~# apt-get install tcpflow Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libpcap0.7 Suggested packages: tcpdump The following NEW packages will be installed: libpcap0.7 tcpflow 0 upgraded, 2 newly installed, 0 to remove and 5 not upgraded. Need to get 93.2kB of archives. After unpacking 287kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://http.us.debian.org unstable/main libpcap0.7 0.7.2-7 [69.8kB] Get:2 http://http.us.debian.org unstable/main tcpflow 0.21-6 [23.5kB] Fetched 93.2kB in 2s (39.7kB/s) Selecting previously deselected package libpcap0.7. (Reading database ... 69624 files and directories currently installed.) Unpacking libpcap0.7 (from .../libpcap0.7_0.7.2-7_i386.deb) ... Selecting previously deselected package tcpflow. Unpacking tcpflow (from .../tcpflow_0.21-6_i386.deb) ... Setting up libpcap0.7 (0.7.2-7) ... Setting up tcpflow (0.21-6) ...
Package names for these examples chosen completely at random!
(At a later time we may explain exactly what GPG is, and how it's a good thing).