6.41 Archive Signatures and Keys

20191217 The apt tool supports signing of a repository’s Release file to ensure the integrity of a Debian/Ubuntu archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

The following from an apt-get command is often the first sign of a missing key:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

Packages can still be installed but messages like the following will be displayed:

  WARNING: The following packages cannot be authenticated!
  Install these packages without verification [y/N]?

Interacting with the -, apt, key command is simple, with just a few sub-commands: list, add, del, update. The list command will list the public keys that are currently accepted and the add command allows a public key to be added. The key itself needs to be downloaded from a key server using gpg.

To download a key and install it locally the single adv command can be utilised (the key can be identified using the last 8 characters of the id that apt-get reports that it can not verify):

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 1F41B907

A more explicit specification of the keyserver may sometimes be required, often due to firewall restrictions:

  $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 1F41B907

Underneath the following three steps are undertaken:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

The warning report should now disappear (at least for this key/repository).

To list the keys and to delete keys if desired:

  $ apt-key list
  $ sudo apt-key del 1F41B907

Your donation will support ongoing development and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2021 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0.