Using the GPG signature checking with apt 0.6
Posted by Steve on Fri 1 Jul 2005 at 02:00
If you're running a Debian Unstable installation you'll likely have noticed that new package installations, and upgrades, are now prompting for confirmation - warning about package checking. This is because the most recent version of APT supports checking package signatures with GPG.
GNU Privacy Guard is a popular public-key encryption package, which amongst other things allows signatures to be made of files. These signatures allows people to detect tampering, due to either malicious actions or network errors, in much the same way as hashes such as MD5 and SHA-1 do.
This change has been a long time coming, since the original announcement in 2004.
The most recent versions of the apt package support testing all downloaded packages to make sure their signatures are valid.
This is a useful thing, as it provides reasonable certainty that the packages you're downloading are the packages you were intended to get.
If you're in this situation you'll see a prompt such as this one when installing packages, or performing upgrades:
skx@mystery:~$ sudo apt-get install pyzor Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: python-gdbm python2.3-gdbm The following NEW packages will be installed: python-gdbm python2.3-gdbm pyzor 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 69.1kB of archives. After unpacking 229kB of additional disk space will be used. Do you want to continue [Y/n]? y WARNING: The following packages cannot be authenticated! python2.3-gdbm python-gdbm pyzor Install these packages without verification [y/N]? y
You have a couple of choices when you see this notice:
- Accept the prompt as a distraction or annoyance and proceed to install them without checking.
- Install the appropriate key to make sure the packages you've downloaded are as intended.
If you decide that you don't care to validate your packages you've can either answer "y" to ignore the warning, or use one of the new options:
apt-get --allow-unauthenticated install packagename
If you don't wish to add this flag each time you can store the following text inside /etc/apt/apt.conf (creating that file if it's missing):
APT::Get::AllowUnauthenticated 1 ;
If you do wish to avoid potential corruption, or malicious uploads then you need to have two things:
- The gnupg package installed.
- The relevent public key for testing against.
If you don't have the security software you can install it as follows:
apt-get install gnupg
Once that's done you can either download the public key by running:
root@mystery:~# gpg --keyserver keyring.debian.org --recv 4F368D5D gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key 4F368D5D from hkp server keyring.debian.org gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 4F368D5D: public key "Debian Archive Automatic Signing Key (2005) ftpmaster@debian.org" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file "ziyi_key_2005.asc".
Download this and import it as follows:
root@mystery:~# cat ziyi_key_2005.asc | gpg --import
Once this is imported to the root's keyring APT will use it when installing packages, as you can see with this example:
root@mystery:~# apt-get install tcpflow Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libpcap0.7 Suggested packages: tcpdump The following NEW packages will be installed: libpcap0.7 tcpflow 0 upgraded, 2 newly installed, 0 to remove and 5 not upgraded. Need to get 93.2kB of archives. After unpacking 287kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://http.us.debian.org unstable/main libpcap0.7 0.7.2-7 [69.8kB] Get:2 http://http.us.debian.org unstable/main tcpflow 0.21-6 [23.5kB] Fetched 93.2kB in 2s (39.7kB/s) Selecting previously deselected package libpcap0.7. (Reading database ... 69624 files and directories currently installed.) Unpacking libpcap0.7 (from .../libpcap0.7_0.7.2-7_i386.deb) ... Selecting previously deselected package tcpflow. Unpacking tcpflow (from .../tcpflow_0.21-6_i386.deb) ... Setting up libpcap0.7 (0.7.2-7) ... Setting up tcpflow (0.21-6) ...
Package names for these examples chosen completely at random!
(At a later time we may explain exactly what GPG is, and how it's a good thing).
[ Send Message | View Steve's Scratchpad | View Weblogs ]
The packages are not signed, instead the Release is signed. This isn't complete end-to-end signing, yet.
But almost close enough considering you need to have a valid key in the Debian keyring to upload to the repository initially.
Did you import the key into the keyring of the user who's doing the upgrade, ie root?
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
My installation is based on Untable-NonUS, so I had to import the key with gpg --recv-keys B629A24C38C6029A.
Then apt-get update and it's ok :)
[ Parent | Reply to this comment ]
Good luck,
JDR
[ Parent | Reply to this comment ]
apt-get install debian-keyringand this does indeed seem to allow some packages to be installed without that warning. Is it possible that some debian unstable packages are just simply not signed properly yet?
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
The debian-keyring package contained in Unstable does include the signing key. In the file /usr/share/keyrings/debian-role-keys.gpg.
I chose to describe the import a single key instead because this is much simpler to explain for people new to GPG.
(No need to mess with the conf file to add the keyring files, and also no need to download 11Mb of package just to get one key is .. wasteful).
I hope that clears up your confusion.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
For some of the other repos I had to perform the following (after running the --recv-keys)
gpg --armor --export | apt-key add -
Just wondering now - how to find the correct key ID for a signed repository - specifically
W: GPG error: http://ftp.freenet.de unstable Release: The following signatures couldn't be verified because the public
key is not available: NO_PUBKEY CFA0D3D5C2D0F8F6
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Probably easiest to either mail the site admin(s), or to look and see if all the packages on that site have the same Maintainer - if they do it might mean the release is signed with that key.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
> (after running the --recv-keys)
>
> gpg --armor --export | apt-key add -
has helped me for
stable/non-US
testing/non-US
unstable/non-US
.
Thanks,
Stephan
[ Parent | Reply to this comment ]
peace, core
[ Parent | Reply to this comment ]
I've installed the debian-keyring package and edited my gnupg config as per the instructions in the docs for it, but to no avail. Any hints with that appreciated.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
When you say "my" gnupg config - is that the one that is used by the accoutn you're using debmirror as?
I guess you can see if your setup is importing hte debian-keyring's by running :
gpg --list-keys
If you've added them there will be *lots* of new ones.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
cool article, makes a lot clear, but not all (to me).
Is this checking done on-line in real time? If so, how about us poor sods in a corporate network with a local debian repository, but without a direct connection to the outside?
Will all packages have those signatures, if so how about the *.udebs from debian installer. Seems rather complicated to me to to have mandatory manual acknowledgments for fully automated installs.
Sincerely,
Jan.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
My understanding is that it's just the release file which is checked, via the signed version.
As that contains the checksums of the different arch packages it's sufficient to test the integrity of the packages you download - since in turn the arch package lists contain the checksums for the packages themselves.
This means it's a one-off test for each package installation run, eg. "apt-get upgrade", or "apt-get install foo bar baz" both only require a single check - against your local copy of release file(s) in /var/lib/apt/lists.
I guess this means there's no problem with people in unconnected areas, etc.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
apt-key should probably be mentioned, true. I got distracted before finishing this.
Still adding the key to root's keyring does seem to be one approach at getting this to work.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
use "apt-key add" to solve this problem about complaining apt tool...
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Are sarge repositories already signed too?
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Signatures are not supported by the version of apt in Sarge. So you'd need to backport the newer version of apt, however without the signed Release files upon the Debian servers doing so would be pointless.
Hmm, having just looked in the Sarge binary-i386 directory, there's no signed Release file - just the raw one.
So it looks like you're out of luck.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
Each Packages file contains a list of packages with their md5sum.
So, Packages valids the integrity of each package and main Release file the integrity of each Packages file. If the main Release file is verified everything is OK.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
after some frustrating experiments i found the following solution:
Running AMD64/unstable i noticed the file /etc/apt/trusted.gpg.
Just import the keys with gpg --recv-keys XXXXXX
followed by gpg --export XXXXXXX >> /etc/apt/trusted.gpg.
After doing a apt-get update everything worked fine.
[ Parent | Reply to this comment ]
gpg --keyserver-options http-proxy --keyserver wwwkeys.eu.pgp.net --recv-keys 58255A68
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
The instructions are already included in the article, either via the command-line flag or via apt.conf...
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
It's likely that I didn't phrase the question correctly.
What I'm looking for is a way to completely disable GPG (so that it doesn't even try to download or authenticate the GPG keys when I run "apt-get update").
Do I have to downgrade to a previous version or edit the source to do that?
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
http://ftp-master.debian.org/ziyi_key_2006.asc
or by issuing the command
gpg --keyserver subkeys.pgp.net --recv-keys 084750FC01A6D388A643D869010908312D230C5F ; gpg --export 084750FC01A6D388A643D869010908312D230C5F | sudo apt-key add -;
How do we trust that ? I dunno ...
[ Parent | Reply to this comment ]
Debian seems to do a lot of key signing for purposes of developer upload. Why can't some of the power of this web of trust be used to back up the release key? Or is it? I mean, maybe this is all much more clever than I realize, but I don't have a detailed understanding of how the trust model for releases works.
Morever, I'm kind of riding the fence. On the one hand, I don't like the symptoms that suggest there is no good way to trust the release key. On the other hand, I think as a debian user I shouldn't have to worry about any of this. I feel I should be asked to do some specific steps in the first place to ensure I get a trustable original key, and the rest should flow from that. I don't think Debian users should be expected to be GPG experts and debian policy experts just to get reasonable protection from compromise. The reason I think that they shoulnd't have to be, is because they aren't, and won't be, and thus if this system only helps experts, it isn't very good.
[ Parent | Reply to this comment ]
gpg --check-sigs 2d230c5f
All in all, though, Debian is years behind the times in terms of archive signing. It's pretty easy to set up a server with trojan packages and redirect traffic to the offical mirrors there. Local attacks on a LAN and DNS cache poisoning come to mind as productive ways to accomplish this.
[ Parent | Reply to this comment ]
Thx.
[ Parent | Reply to this comment ]
GPG is installed by default, create a sig and trust it (not sure if this is needed, but)
Don't import the keys into the GPG keyring, instead I did this
"apt-key add" the keys from http://www.debian.org/releases/
Then apt-get update / apt-get upgrade
[ Parent | Reply to this comment ]
wget http://ftp-master.debian.org/ziyi_key_2006.asc -O - | apt-key add -
[ Parent | Reply to this comment ]
http://lists.debian.org/debian-user/2006/01/msg00291.html .
[ Parent | Reply to this comment ]
I find that using apt-key saves a bunch of typing... try this as root:
apt-key advanced --keyserver keyring.debian.org --recv 4F368D5D
Regards,
Andrew McMillan
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
When you try to install a package with apt-get it will tell you the key ID which is missing/not trusted ..
[ Parent | Reply to this comment ]
The following info, which I found here, is the current fix.
apt-get install debian-archive-keyring
apt-get update
Cheers,
Silas
=0)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]