Using the GPG signature checking with apt 0.6

Posted by Steve on Fri 1 Jul 2005 at 02:00

If you're running a Debian Unstable installation you'll likely have noticed that new package installations, and upgrades, are now prompting for confirmation - warning about package checking. This is because the most recent version of APT supports checking package signatures with GPG.

GNU Privacy Guard is a popular public-key encryption package, which amongst other things allows signatures to be made of files. These signatures allows people to detect tampering, due to either malicious actions or network errors, in much the same way as hashes such as MD5 and SHA-1 do.

This change has been a long time coming, since the original announcement in 2004.

The most recent versions of the apt package support testing all downloaded packages to make sure their signatures are valid.

This is a useful thing, as it provides reasonable certainty that the packages you're downloading are the packages you were intended to get.

If you're in this situation you'll see a prompt such as this one when installing packages, or performing upgrades:

skx@mystery:~$ sudo apt-get install pyzor 
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  python-gdbm python2.3-gdbm
The following NEW packages will be installed:
  python-gdbm python2.3-gdbm pyzor
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 69.1kB of archives.
After unpacking 229kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  python2.3-gdbm python-gdbm pyzor
Install these packages without verification [y/N]? y

You have a couple of choices when you see this notice:

  • Accept the prompt as a distraction or annoyance and proceed to install them without checking.
  • Install the appropriate key to make sure the packages you've downloaded are as intended.

If you decide that you don't care to validate your packages you've can either answer "y" to ignore the warning, or use one of the new options:

apt-get --allow-unauthenticated  install packagename

If you don't wish to add this flag each time you can store the following text inside /etc/apt/apt.conf (creating that file if it's missing):

APT::Get::AllowUnauthenticated 1 ;

If you do wish to avoid potential corruption, or malicious uploads then you need to have two things:

  • The gnupg package installed.
  • The relevent public key for testing against.

If you don't have the security software you can install it as follows:

apt-get install gnupg

Once that's done you can either download the public key by running:

root@mystery:~# gpg --keyserver keyring.debian.org --recv 4F368D5D
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 4F368D5D from hkp server keyring.debian.org
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) ftpmaster@debian.org" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file "ziyi_key_2005.asc".

Download this and import it as follows:

root@mystery:~# cat ziyi_key_2005.asc | gpg --import

Once this is imported to the root's keyring APT will use it when installing packages, as you can see with this example:

root@mystery:~# apt-get install tcpflow
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libpcap0.7
Suggested packages:
  tcpdump
The following NEW packages will be installed:
  libpcap0.7 tcpflow
0 upgraded, 2 newly installed, 0 to remove and 5 not upgraded.
Need to get 93.2kB of archives.
After unpacking 287kB of additional disk space will be used.
Do you want to continue [Y/n]? 
Get:1 http://http.us.debian.org unstable/main libpcap0.7 0.7.2-7 [69.8kB]
Get:2 http://http.us.debian.org unstable/main tcpflow 0.21-6 [23.5kB]
Fetched 93.2kB in 2s (39.7kB/s) 
Selecting previously deselected package libpcap0.7.
(Reading database ... 69624 files and directories currently installed.)
Unpacking libpcap0.7 (from .../libpcap0.7_0.7.2-7_i386.deb) ...
Selecting previously deselected package tcpflow.
Unpacking tcpflow (from .../tcpflow_0.21-6_i386.deb) ...
Setting up libpcap0.7 (0.7.2-7) ...

Setting up tcpflow (0.21-6) ...

Package names for these examples chosen completely at random!

(At a later time we may explain exactly what GPG is, and how it's a good thing).

 

 


Posted by Anonymous (80.77.xx.xx) on Fri 1 Jul 2005 at 08:25
I followed these instructions, but still apt will complain that it can't verify any package I install... Note that my apt.conf was basically empty, then I added the position of /etc/apt/trusted.gpg; however, still no luck. Are the unstable package signed at all?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 1 Jul 2005 at 21:59
[ View Steve's Scratchpad | View Weblogs ]

The packages are not signed, instead the Release is signed. This isn't complete end-to-end signing, yet.

But almost close enough considering you need to have a valid key in the Debian keyring to upload to the repository initially.

Did you import the key into the keyring of the user who's doing the upgrade, ie root?

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (80.77.xx.xx) on Sun 3 Jul 2005 at 10:54
After a bit of fiddling...
My installation is based on Untable-NonUS, so I had to import the key with gpg --recv-keys B629A24C38C6029A.
Then apt-get update and it's ok :)

[ Parent | Reply to this comment ]

Posted by Anonymous (68.228.xx.xx) on Sat 2 Jul 2005 at 16:52
Since it is the release that is signed, you need to 'apt-get update' before apt will stop complaining. Otherwise, the above instructions worked perfect for me.
Good luck,
JDR

[ Parent | Reply to this comment ]

Posted by Anonymous (195.172.xx.xx) on Fri 1 Jul 2005 at 08:52
I tried to solve it with
apt-get install debian-keyring
and this does indeed seem to allow some packages to be installed without that warning. Is it possible that some debian unstable packages are just simply not signed properly yet?

[ Parent | Reply to this comment ]

Posted by Anonymous (150.216.xx.xx) on Fri 1 Jul 2005 at 19:30
I'm confused. According to its description, the package debian-keyring is supposed to have the keys of Debian developers. Does it also contain the 'Debian Archive Automatic Signing Key (2005) ftpmaster@debian.org' described in the article?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 1 Jul 2005 at 21:53
[ View Steve's Scratchpad | View Weblogs ]

The debian-keyring package contained in Unstable does include the signing key. In the file /usr/share/keyrings/debian-role-keys.gpg.

I chose to describe the import a single key instead because this is much simpler to explain for people new to GPG.

(No need to mess with the conf file to add the keyring files, and also no need to download 11Mb of package just to get one key is .. wasteful).

I hope that clears up your confusion.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by chris (217.8.xx.xx) on Fri 1 Jul 2005 at 08:55
[ View Weblogs ]
This worked fine for the standard debian repositories in my sources list (unstable).

For some of the other repos I had to perform the following (after running the --recv-keys)
gpg --armor --export  | apt-key add -

Just wondering now - how to find the correct key ID for a signed repository - specifically
W: GPG error: http://ftp.freenet.de unstable Release: The following signatures couldn't be verified because the public

key is not available: NO_PUBKEY CFA0D3D5C2D0F8F6

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 1 Jul 2005 at 12:36
[ View Steve's Scratchpad | View Weblogs ]

Probably easiest to either mail the site admin(s), or to look and see if all the packages on that site have the same Maintainer - if they do it might mean the release is signed with that key.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (212.202.xx.xx) on Fri 8 Jul 2005 at 00:01
> For some of the other repos I had to perform the following
> (after running the --recv-keys)
>
> gpg --armor --export | apt-key add -

has helped me for
stable/non-US
testing/non-US
unstable/non-US
.

Thanks,
Stephan

[ Parent | Reply to this comment ]

Posted by Anonymous (24.182.xx.xx) on Mon 7 Nov 2005 at 03:26
This works with debian-testing-security also. :-) Thanks for the tip!
peace, core

[ Parent | Reply to this comment ]

Posted by Anonymous (212.18.xx.xx) on Fri 1 Jul 2005 at 10:17
I've been trying to get debmirror to check the sig's on stuff, which is kinda similar to this. Not essential for me, but a nice to have.

I've installed the debian-keyring package and edited my gnupg config as per the instructions in the docs for it, but to no avail. Any hints with that appreciated.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 1 Jul 2005 at 12:39
[ View Steve's Scratchpad | View Weblogs ]

When you say "my" gnupg config - is that the one that is used by the accoutn you're using debmirror as?

I guess you can see if your setup is importing hte debian-keyring's by running :

gpg --list-keys

If you've added them there will be *lots* of new ones.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (70.247.xx.xx) on Fri 1 Jul 2005 at 12:43
Is this similar to RPM, such as in Red Hat and Fedora, with the ability to use GPG keys?

[ Parent | Reply to this comment ]

Posted by Anonymous (82.72.xx.xx) on Sat 2 Jul 2005 at 04:00
Hi,

cool article, makes a lot clear, but not all (to me).

Is this checking done on-line in real time? If so, how about us poor sods in a corporate network with a local debian repository, but without a direct connection to the outside?

Will all packages have those signatures, if so how about the *.udebs from debian installer. Seems rather complicated to me to to have mandatory manual acknowledgments for fully automated installs.

Sincerely,

Jan.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 2 Jul 2005 at 04:06
[ View Steve's Scratchpad | View Weblogs ]

My understanding is that it's just the release file which is checked, via the signed version.

As that contains the checksums of the different arch packages it's sufficient to test the integrity of the packages you download - since in turn the arch package lists contain the checksums for the packages themselves.

This means it's a one-off test for each package installation run, eg. "apt-get upgrade", or "apt-get install foo bar baz" both only require a single check - against your local copy of release file(s) in /var/lib/apt/lists.

I guess this means there's no problem with people in unconnected areas, etc.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (66.82.xx.xx) on Sun 3 Jul 2005 at 14:43
I don't understand why this article walks through the process of downloading the debian archive key and adding it to root's keyring, when apt 0.6 comes preconfigured to use that key via the /etc/apt/trusted.gpg keyring. Suprised adding the key to root's keyring would work at all, since AFAIK apt does not look at root's keyring when verifying archive keys. Also, it's odd that the article does not mention how to use the apt-key command at all.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sun 3 Jul 2005 at 14:46
[ View Steve's Scratchpad | View Weblogs ]

apt-key should probably be mentioned, true. I got distracted before finishing this.

Still adding the key to root's keyring does seem to be one approach at getting this to work.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (85.248.xx.xx) on Mon 1 Aug 2005 at 14:44
yea...no way to adding the debian key to root`s keyring...

use "apt-key add" to solve this problem about complaining apt tool...

[ Parent | Reply to this comment ]

Posted by Anonymous (24.182.xx.xx) on Mon 7 Nov 2005 at 03:29
Completely, I tried adding it to root and had no luck. apt-key is the way!

[ Parent | Reply to this comment ]

Posted by jooray (82.119.xx.xx) on Mon 4 Jul 2005 at 22:16
Any idea how to add support of signature checking in sarge? Do I need to update apt on sarge from unstable? Will sarge survive this?

Are sarge repositories already signed too?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Mon 4 Jul 2005 at 22:20
[ View Steve's Scratchpad | View Weblogs ]

Signatures are not supported by the version of apt in Sarge. So you'd need to backport the newer version of apt, however without the signed Release files upon the Debian servers doing so would be pointless.

Hmm, having just looked in the Sarge binary-i386 directory, there's no signed Release file - just the raw one.

So it looks like you're out of luck.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by Anonymous (81.57.xx.xx) on Fri 2 Sep 2005 at 10:13
There is the script apt-check-sigs which verify the gpg signatures. The main Release file contrains the list of Packages, Packages.gz and sub Release files with their MD5sum for each component and architecture.
Each Packages file contains a list of packages with their md5sum.

So, Packages valids the integrity of each package and main Release file the integrity of each Packages file. If the main Release file is verified everything is OK.




[ Parent | Reply to this comment ]

Posted by Anonymous (24.87.xx.xx) on Tue 5 Jul 2005 at 23:53
Works great on my x86 systems, but doesn't seem to work on AMD64 despite the key showing up with `gpg --list-keys` and having run `apt-get update` since importing the key. Any ideas?

[ Parent | Reply to this comment ]

Posted by Anonymous (82.83.xx.xx) on Fri 8 Jul 2005 at 22:16
Hi,

after some frustrating experiments i found the following solution:
Running AMD64/unstable i noticed the file /etc/apt/trusted.gpg.
Just import the keys with gpg --recv-keys XXXXXX
followed by gpg --export XXXXXXX >> /etc/apt/trusted.gpg.
After doing a apt-get update everything worked fine.

[ Parent | Reply to this comment ]

Posted by mzilikazi (156.153.xx.xx) on Mon 11 Jul 2005 at 20:06
[ View Weblogs ]
Just thought I'd post a bit on how to use gpg through a proxy. You need to use: --keyserver-options http-proxy

gpg --keyserver-options http-proxy --keyserver wwwkeys.eu.pgp.net --recv-keys 58255A68

[ Parent | Reply to this comment ]

Posted by randalll (69.193.xx.xx) on Wed 13 Jul 2005 at 03:38
Could you please post instructions for disabling GPG checking in apt 0.6?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 13 Jul 2005 at 03:48
[ View Steve's Scratchpad | View Weblogs ]

The instructions are already included in the article, either via the command-line flag or via apt.conf...

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by randalll (69.193.xx.xx) on Wed 13 Jul 2005 at 12:26
For not having it ask to install unauthenticated packages, yes--and it works nicely. Thank you for your assistance there.

It's likely that I didn't phrase the question correctly.

What I'm looking for is a way to completely disable GPG (so that it doesn't even try to download or authenticate the GPG keys when I run "apt-get update").

Do I have to downgrade to a previous version or edit the source to do that?

[ Parent | Reply to this comment ]

Posted by Anonymous (62.157.xx.xx) on Fri 22 Jul 2005 at 07:45
I have an apt-proxy running. What must be done to get a package in a secure way, because actual all packages through the apt-proxy machine cannot be authenticated?

[ Parent | Reply to this comment ]

Posted by Anonymous (141.76.xx.xx) on Mon 24 Oct 2005 at 12:26
What must be done to get aptitude to find/filter packages from untrusted sources?

[ Parent | Reply to this comment ]

Posted by k8to (64.142.xx.xx) on Tue 3 Jan 2006 at 18:26
Woohoo, it's 2006, and debian can't automatically get the new key. I could download debian-keyring but it's not authenticated. Not interseted in breaking the trust model once a year.

[ Parent | Reply to this comment ]

Posted by Anonymous (203.79.xx.xx) on Wed 4 Jan 2006 at 05:44
For those that haven't found it anywhere else, the new key is available either from

http://ftp-master.debian.org/ziyi_key_2006.asc

or by issuing the command

gpg --keyserver subkeys.pgp.net --recv-keys 084750FC01A6D388A643D869010908312D230C5F ; gpg --export 084750FC01A6D388A643D869010908312D230C5F | sudo apt-key add -;

How do we trust that ? I dunno ...

[ Parent | Reply to this comment ]

Posted by k8to (64.142.xx.xx) on Wed 4 Jan 2006 at 07:29
I took the first key on faith, because I had no idea how anything worked, or if there was anything to base the first key's trust on. However, I've hit a large number of mirrors over the year and I don't think all of them were compromised, so I have some faith in the key.

Debian seems to do a lot of key signing for purposes of developer upload. Why can't some of the power of this web of trust be used to back up the release key? Or is it? I mean, maybe this is all much more clever than I realize, but I don't have a detailed understanding of how the trust model for releases works.

Morever, I'm kind of riding the fence. On the one hand, I don't like the symptoms that suggest there is no good way to trust the release key. On the other hand, I think as a debian user I shouldn't have to worry about any of this. I feel I should be asked to do some specific steps in the first place to ensure I get a trustable original key, and the rest should flow from that. I don't think Debian users should be expected to be GPG experts and debian policy experts just to get reasonable protection from compromise. The reason I think that they shoulnd't have to be, is because they aren't, and won't be, and thus if this system only helps experts, it isn't very good.

[ Parent | Reply to this comment ]

Posted by Anonymous (208.186.xx.xx) on Thu 5 Jan 2006 at 06:56
The new key is signed by the old key. Run

gpg --check-sigs 2d230c5f

All in all, though, Debian is years behind the times in terms of archive signing. It's pretty easy to set up a server with trojan packages and redirect traffic to the offical mirrors there. Local attacks on a LAN and DNS cache poisoning come to mind as productive ways to accomplish this.

[ Parent | Reply to this comment ]

Posted by Anonymous (59.167.xx.xx) on Wed 4 Jan 2006 at 08:02
Perfect, Hit the nail right on the head.
Thx.

[ Parent | Reply to this comment ]

Posted by Anonymous (195.54.xx.xx) on Wed 4 Jan 2006 at 16:54
Useful article, however it only provided prompts to resolving the "packages cannot be authenticated" hassles. Eventually came up with the following

GPG is installed by default, create a sig and trust it (not sure if this is needed, but)
Don't import the keys into the GPG keyring, instead I did this
"apt-key add" the keys from http://www.debian.org/releases/

Then apt-get update / apt-get upgrade

[ Parent | Reply to this comment ]

Posted by Anonymous (82.224.xx.xx) on Wed 4 Jan 2006 at 19:59
To install the new key run :
wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -

[ Parent | Reply to this comment ]

Posted by Anonymous (128.59.xx.xx) on Thu 12 Jan 2006 at 17:25
Yes, this was the method suggested on the debian-user mailing list—see
http://lists.debian.org/debian-user/2006/01/msg00291.html .

[ Parent | Reply to this comment ]

Posted by Anonymous (202.78.xx.xx) on Thu 12 Jan 2006 at 18:25

I find that using apt-key saves a bunch of typing... try this as root:

apt-key advanced --keyserver keyring.debian.org --recv 4F368D5D

Regards,

Andrew McMillan

[ Parent | Reply to this comment ]

Posted by Anonymous (212.95.xx.xx) on Fri 28 Jul 2006 at 17:57
It would be nice to know how to find out, which is the right key.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Fri 28 Jul 2006 at 17:59
[ View Steve's Scratchpad | View Weblogs ]

When you try to install a package with apt-get it will tell you the key ID which is missing/not trusted ..

Steve

[ Parent | Reply to this comment ]

Posted by spiritwing (131.215.xx.xx) on Fri 19 Jan 2007 at 09:34
This post is obsolete now.

The following info, which I found here, is the current fix.
apt-get install debian-archive-keyring
apt-get update

Cheers,
Silas

=0)

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 339 votes ~ 1 comments )