Using the GPG signature checking with apt 0.6

Posted by Steve on Fri 1 Jul 2005 at 02:00

If you're running a Debian Unstable installation you'll likely have noticed that new package installations, and upgrades, are now prompting for confirmation - warning about package checking. This is because the most recent version of APT supports checking package signatures with GPG.

GNU Privacy Guard is a popular public-key encryption package, which amongst other things allows signatures to be made of files. These signatures allows people to detect tampering, due to either malicious actions or network errors, in much the same way as hashes such as MD5 and SHA-1 do.

This change has been a long time coming, since the original announcement in 2004.

The most recent versions of the apt package support testing all downloaded packages to make sure their signatures are valid.

This is a useful thing, as it provides reasonable certainty that the packages you're downloading are the packages you were intended to get.

If you're in this situation you'll see a prompt such as this one when installing packages, or performing upgrades:

skx@mystery:~$ sudo apt-get install pyzor 
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  python-gdbm python2.3-gdbm
The following NEW packages will be installed:
  python-gdbm python2.3-gdbm pyzor
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 69.1kB of archives.
After unpacking 229kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  python2.3-gdbm python-gdbm pyzor
Install these packages without verification [y/N]? y

You have a couple of choices when you see this notice:

• Accept the prompt as a distraction or annoyance and proceed to install them without checking.
• Install the appropriate key to make sure the packages you've downloaded are as intended.

If you decide that you don't care to validate your packages you've can either answer "y" to ignore the warning, or use one of the new options:

apt-get --allow-unauthenticated  install packagename

If you don't wish to add this flag each time you can store the following text inside /etc/apt/apt.conf (creating that file if it's missing):

APT::Get::AllowUnauthenticated 1 ;

If you do wish to avoid potential corruption, or malicious uploads then you need to have two things:

• The gnupg package installed.
• The relevent public key for testing against.

If you don't have the security software you can install it as follows:

apt-get install gnupg

Once that's done you can either download the public key by running:

root@mystery:~# gpg --keyserver keyring.debian.org --recv 4F368D5D
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 4F368D5D from hkp server keyring.debian.org
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) ftpmaster@debian.org" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file "ziyi_key_2005.asc".

Download this and import it as follows:

root@mystery:~# cat ziyi_key_2005.asc | gpg --import

Once this is imported to the root's keyring APT will use it when installing packages, as you can see with this example:

root@mystery:~# apt-get install tcpflow
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libpcap0.7
Suggested packages:
  tcpdump
The following NEW packages will be installed:
  libpcap0.7 tcpflow
0 upgraded, 2 newly installed, 0 to remove and 5 not upgraded.
Need to get 93.2kB of archives.
After unpacking 287kB of additional disk space will be used.
Do you want to continue [Y/n]? 
Get:1 http://http.us.debian.org unstable/main libpcap0.7 0.7.2-7 [69.8kB]
Get:2 http://http.us.debian.org unstable/main tcpflow 0.21-6 [23.5kB]
Fetched 93.2kB in 2s (39.7kB/s) 
Selecting previously deselected package libpcap0.7.
(Reading database ... 69624 files and directories currently installed.)
Unpacking libpcap0.7 (from .../libpcap0.7_0.7.2-7_i386.deb) ...
Selecting previously deselected package tcpflow.
Unpacking tcpflow (from .../tcpflow_0.21-6_i386.deb) ...
Setting up libpcap0.7 (0.7.2-7) ...

Setting up tcpflow (0.21-6) ...

Package names for these examples chosen completely at random!

(At a later time we may explain exactly what GPG is, and how it's a good thing).

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/174/Using_the_GPG_signature_checking_with_apt_0.6

This article is copyright 2005 Steve - please ask for permission to republish or translate.