GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installation Basic Survival Wajig Audio AbiWord APM Backup Bash Booting Cameras CD Chinese ChRoot Clock Commercial Conference Management Configuration CRON CVS Databases DIA Directories Disks Documentation DVD Email Eye of Gnome Evolution File Systems Firewalls Floppy Disks Fonts Ghemical GIMP Glade Gnome GnuCash Gnumeric GQView Graphics Groups HTML Editors ImageMagick Initialisations on Booting Java KDE Kernels Keyboard Konqueror KVM Switch LaTeX Log System Login Magellan Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks NFS NT File System OpenOffice.org Oracle Packages Partitions Passwords PDF Photos PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Security SH File System Sketch Spell SPlus Spruce SSH SUDO Subversion Swap Themes USB Video Virtualization Web Word X XML Sample Installations Troubleshooting Index

Package Archive Signatures

Version 0.6 of the apt tools began support for signing of the Release file to ensure integrity of the archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

You might get the following from an apt-get command:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

You can go ahead and install packages but you will get messages like:

  WARNING: The following packages cannot be authenticated!
    most
  Install these packages without verification [y/N]?

You can still install, if you wish!

Interacting with the apt-key system is simple, with just four commands: list, add, del, update. The list command will list the public keys that are currently accepted. The add command allows you to add a public key. This is the one we need first.

To obtain and install the key:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

This should now not report any authority warnings (for at least this key).

You may have an issue with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the -noauth option.

  $ wajig --noauth distupgrade

The other option is to sign your Release files. Using wajig's MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:

  PKGCOMP='none gzip'
  [email protected]

Then ensure Kayon Toga's secret key is available to the root user that runs the apt-move command. You can export the secret key (but do this carefully) with:

  $ gpg --export-secret-keys --no-comment [email protected] > ktskexp

Then add this to root's keys:

  # gpg --import ktskexp

Now remove any passphrase so that the file can be singed in batch mode (required when running apt-move):

  # gpg --edit [email protected]
  Command> passwd

So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.