All about secure apt
Debian uses strong cryptography to validate downloaded packages. This is commonly called «secure apt» (or «apt-secure») and was implemented in Apt version 0.6 in 2003, which Debian migrated to in 2005. Since the documentation (here and here) is fairly slim on how this all works from an administrator’s point of view, this document will try to explain in detail how secure apt works and how to use it.
This article discusses things at a relatively high level. For details on the format of the files Debian repositories please refer to the DebianRepository/Format page. For detailed information on commands please refer to the man pages of the tools.
Contents
- All about secure apt
- Basic concepts
- Secure apt groundwork: checksums
- Signed Release files
- How apt uses Release.gpg
- How to tell apt what to trust
- How to find and add a key
- How to tell if the key is safe
- Debian archive key expiry
- How to manually check for package’s integrity
- Other problems
- Setting up a secure apt repository
- Failed updates and missing keys
- History
- Comments and questions
Basic concepts
Here are a few basic concepts that you’ll need to understand for the rest of this document.
A secure hash function (a type of checksum) is a method of taking a file and boiling it down to a reasonably short number that will uniquely identify the content of the file, even if people are deliberately trying to create a pair of different files with the same checksum or create a new file that matches a previous checksum. APT was originally designed around MD5 but people have since managed to construct collisions and so support for newer hash functions has been added.
Public key cryptography is based on pairs of keys, a public key and a private key. The public key is given out to the world; the private key must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It’s also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. Anyone who doesn’t have the private key can’t forge such a signature.
These keys are quite long numbers (at least 1024 bits, i.e. 256 or more hex digits and preferably a lot more), and to make them easier to work with they have a key id, which is a shorter, 8 or 16 digit number that can be used to refer to them. However care should be taken with key IDs, especially the short 8 character ID as it is possible to generate collisions.
apt currently uses gpg as the OpenPGP implementation to verify signatures.
apt-key is a program that is used to manage a keyring of OpenPGP keys for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg (not to be confused with the related but not very interesting /etc/apt/trustdb.gpg). apt-key can be used to show the keys in the keyring, and to add or remove a key. In more recent Debian GNU/Linux versions (Wheezy, for example), the keyrings are stored in specific files all located in the /etc/apt/trusted.gpg.d directory. For example, that directory could contain the following files: debian-archive-squeeze-automatic.gpg or debian-archive-wheezy-automatic.gpg. Incidentally, both files are provided by the debian-archive-keyring package.
Secure apt groundwork: checksums
A Debian archive contains a Release file, which is updated each time any of the packages in the archive change. Among other things, the Release file contains some checksums of other files in the archive. An excerpt of an example Release file:
MD5Sum: 6b05b392f792ba5a436d590c129de21f 3453 Packages 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz 2a5167881adc9ad1a8864f281b1eb959 1715 Sources 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz
Now if we look inside a Packages file, we’ll find more checksums, one for each package listed in it. For example:
Package: uqm Priority: optional ... Filename: unstable/uqm_0.4.0-1_amd64.deb Size: 580558 MD5sum: 864ec6157c1eea88acfef44d0f34d219
These two checksums allow apt to verify that it has downloaded a correct copy of the Packages file, with a checksum that matches the one in the Release file. And when it downloads an individual package, it can also check its checksum against the content of the Packages file. If apt fails at either of these steps, it will abort.
None of this is new in secure apt, but it does provide the foundation. Notice that so far there is one file that apt doesn’t have a way to check: The Release file. Secure apt is all about making apt verify the Release file before it does anything else with it, and plugging this hole, so that there is a chain of verification from the package that you are going to install all the way back to the provider of the package.
Signed Release files
To plug the hole, secure apt adds an OpenPGP signature for the Release file. This is put in a file named Release.gpg that’s shipped alongside the Release file. It looks something like this, although only an OpenPGP implementation actually looks at its contents normally:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx UBGPVc7jbHHsg78EhMBlV/U= =x6og -----END PGP SIGNATURE-----
(Technically speaking, this is an ASCII-armored detached OpenPGP signature.)
How apt uses Release.gpg
Secure apt always downloads Release.gpg files when it’s downloading Release files, and if it cannot download the Release.gpg, or if the signature is bad, it will complain, and will make note that the Packages files that the Release file points to, and all the packages listed therein, are from an untrusted source. Here’s how it looks during an apt-get update:
W: GPG error: https://deb.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
Note that the second half of the long number is the key id of the key that apt doesn’t know about, in this case that’s 2D230C5F.
If you ignore that warning and try to install a package later, apt will warn again:
WARNING: The following packages cannot be authenticated! libglib-perl libgtk2-perl Install these packages without verification [y/N]?
If you say Y here you have no way to know if the file you’re getting is the package you’re supposed to install, or if it’s something else entirely that a black hat has arranged for you, containing a nasty surprise.
Note that you can disable these checks by running apt with —allow-unauthenticated.
It’s also worth noting that newer versions of the Debian installer use the same signed Release file mechanism during their debootstrap of the Debian base system, before apt is available, and that the installer even uses this system to verify pieces of itself that it downloads from the net. Also, Debian does not currently sign the Release files on its CDs; apt can be configured to always trust packages from CDs so this is not a large problem.
How to tell apt what to trust
So the security of the whole system depends on there being a Release.gpg file, which signs a Release file, and of apt checking that signature using gpg. To check the signature, it has to know the public key of the person who signed the file. These keys are kept in apt’s own keyring (/etc/apt/trusted.gpg), and managing the keys is where secure apt comes in.
By default, Debian systems come preconfigured with the Debian archive key in the keyring.
user@host:~> sudo apt-key list
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793
uid [ unknown] Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
Here A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793 is the key fingerprint, and notice that this key is only valid for a limited period. Debian occasionally rotates these keys as a last line of defense against some sort of security breach breaking a key.
That will make apt trust the official Debian archive, but if you add some other apt repository to /etc/apt/sources.list, you’ll also have to give apt its key if you want apt to trust it. Once you have the key and have verified it, it’s a simple matter of «apt-key add file» to add it. Getting the key and verifying it are the trickier part.
How to find and add a key
The debian-archive-keyring package is used to distribute keys to apt. Upgrades to this package can add (or remove) OpenPGP keys for the main Debian archive.
For other archives, there is not yet a standard location where you can find the key for a given apt repository. There’s a rough standard of putting the key up on the web page for the repository or as a file in the repository itself, but no real standard, so you might have to hunt for it.
The current and the retired Debian archive «signing» keys are available from https://ftp-master.debian.org/keys.html.
The OpenPGP ecosystem has a standard way to distribute keys, using a keyserver that OpenPGP implementation can use to download a key from and add it to a keyring. For example with Sequoia-PGP:
user@host:~> sq keyserver get --binary --output debian-archive-bullseye-stable.pgp 'A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793'
Or with GnuPG:
user@host:~> gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 'A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793' gpg: key 605C66F00D6C9793: public key "Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1 user@host:~> gpg --output debian-archive-bullseye-stable.pgp --export 'A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793'
To install the keyring simply copy it to the apt trusted.gpg.d directory:
user@host:~> sudo cp -i debian-archive-bullseye-stable.pgp /etc/apt/trusted.gpg.d/
How to tell if the key is safe
By adding a key to apt’s keyring, you’re telling apt to trust everything signed by the key, and this lets you know for sure that apt won’t install anything not signed by the person who possesses the private key. But if you’re sufficiently paranoid, you can see that this just pushes things up a level, now instead of having to worry if a package, or a Release file is valid, you can worry about whether you’ve actually gotten the right key. Is the information on https://ftp-master.debian.org/keys.html mentioned above correct or is this all some clever trap?
It’s good to be paranoid in security, but verifying things from here is harder. OpenPGP has the concept of a chain of trust, which can start at someone you’re sure of, who signs someone’s key, who signs some other key, etc., until you get to the archive key. If you’re sufficiently paranoid you’ll want to check that your archive key is signed by a key that you can trust, with a trust chain that goes back to someone you know personally. If you want to do this, visit a Debian conference or perhaps a local LUG for a key signing.
(Note: Not all apt repository keys are signed at all by another key. Maybe the person setting up the repository doesn’t have another key, or maybe they don’t feel comfortable signing such a role key with their main key.)
If you can’t afford this level of paranoia, do whatever feels appropriate to you when adding a new apt source and a new key. Maybe you’ll want to mail the person providing the key and verify it, or maybe you’re willing to take your chances with downloading it and assuming you got the real thing. The important thing is that by reducing the problem to what archive keys to trust, secure apt lets you be as careful and secure as it suits you to be.
Here’s a blog post with a procedure to verify the key’s integrity. See also Securing Debian, Ch7.
Debian archive key expiry
Since secure apt was introduced, the keys used to sign the main Debian archive have changed a couple of times. Since secure apt is young, we don’t have a great deal of experience with changing the key and there are still rough spots.
In January 2006, a new key for 2006 was made and the Release file began to be signed by it, but to try to avoid breaking systems that had the old 2005 key, the Release file was signed by that as well. The intent was that apt would accept one signature or the other depending on the key it had, but apt turned out to be buggy and refused to trust the file unless it had both keys and was able to check both signatures. This was fixed in apt version 0.6.43.1. There was also confusion about how the key was distributed to users who already had systems using secure apt; initially it was uploaded to the web site with no announcement and no real way to verify it and users were forced to download it by hand. This was fixed by the introduction of the debian-archive-keyring package, which manages apt keyring updates.
In late 2006, a new key was created that will be used to sign the archive for the lifetime of the Debian 4.0 release (until 2009-07-01). The archive began to be signed by this new key in addition to the yearly signing key for 2006. That was a bit confusing, because the key began to be used before it was announced and before debian-archive-keyring was updated to include it! Apt’s warning message in this situation is slightly opaque to end users. There’s obviously still room for improvement in how we roll out new keys. This new key does answer the question of how users of the 4.0 (etch) release will be able to validate their software for the lifetime of that release. This new key is also being used to sign other versions of Debian (like unstable).
On February 7th 2007, the 2006 key expired. Currently the only known breakage of this is that it broke rc1 of the etch installer, since the installer images only know about the 2006 key. Daily builds of the installer have the 2007 key and continue to work.
Most recently, a new Etch stable release key has been added. This key is an offline key that will be used to sign releases of Etch (including point releases).
How to manually check for package’s integrity
There are sometimes you want to manually check that a package hasn’t been tampered since the time it was uploaded to the archive and the time you downloaded it. The apt system will take care of this procedure automatically, but in this section we will describe how to perform these safety tests manually.
First, we’re assuming you have downloaded the Release information from a trusted source (official Debian servers and mirrors). You’ll need to check the Release file as the first step, for that you’ll use the signature Release.gpg file, as in the following example.
Note: You will have to import the public key for the archive, if it isn’t in your keyring; and use your current distribution instead of «sid».
cd /var/lib/apt/lists
gpgv --keyring /etc/apt/trusted.gpg deb.debian.org_debian_dists_sid_Release.gpg
deb.debian.org_debian_dists_sid_Release
After that you check the md5sums of the Packages file for each of the components. For example:
# Print the md5sum of the Packages file which is listed in the Release file.
sed -n "s,main/binary-amd64/Packages$,,p" deb.debian.org_debian_dists_sid_Release
# Print the md5sum of the Packages file itself.
md5sum deb.debian.org_debian_dists_sid_main_binary-amd64_Packages
Finally, we check the MD5 or SHA checksum of the package itself.
apt-cache show <package_name> | sed -n "s/MD5sum: //p" # Grab the checksum from the APT cache. md5sum <binary_package_name>.deb # Compare it against the binary package's checksum.
This section is far from complete, but we expect is a good introductory material for digging into the Debian packages’ trust chain.
TODO: Add signature verification: dscverify quick introduction.
Other problems
- One not so obvious gotcha is that if your clock is very far off, secure apt will not work. If it’s set to a date in the past, such as 1999, apt will fail with an unhelpful message such as this:
W: GPG error: https://archive.progeny.com sid Release: Unknown error executing gpg
Although apt-key list will make the problem plain:
gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) pub 1024D/2D230C5F 2006-01-03 uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
If it’s set to a date too far in the future, apt will treat the keys as expired.
- Another problem you may encounter if using testing or unstable is that if you have not run apt-get update lately and apt-get install a package, apt might complain that it cannot be authenticated (why does it do this?). apt-get update will fix this.
- If apt gives a warning like this:
W: There are no public key available for the following key IDs: A70DAF536070D3A1
- This means that the archive has begun to be signed by a new key, which your system does not know about. In this example, the new key is a dedicated key that will be used to sign the release of Debian 4.0. Since the archive was still signed by another key that apt knows about, this is just a warning, and once the system is fed the new key (by upgrading the debian-archive-keyring package), the warning will go away.
- If you have the debsig-verify package installed, you might run into errors like this one:
dpkg: error processing /var/cache/apt/archives/anjuta-common_1.2.4a-2_all.deb (--unpack): Verification on package /var/cache/apt/archives/anjuta-common_1.2.4a-2_all.deb failed! Authenticating /var/cache/apt/archives/anjuta-common_1.2.4a-2_all.deb ... debsig: Origin Signature check failed. This deb might not be signed.
This actually has nothing to do with secure apt. debsig-verify checks for signatures embedded inside individual Debian packages. Since such signatures are not widely used (we use secure apt instead), it doesn’t work very well to install this, and removing the debsig-verify package will fix the problem.
- If apt-get update outputs this
W: GPG error: http://non-us.debian.org stable/non-US Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D W: You may want to run apt-get update to correct these problems
remove non-us from /etc/apt/sources.
Setting up a secure apt repository
From man apt-secure
If you want to provide archive signatures in an archive under your maintenance you have to:
- Create a toplevel Release file. if it does not exist already. You can do this by running apt-ftparchive release (provided inftp apt-utils).
- Sign it. You can do this by running gpg -abs -o Release.gpg Release.
- Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.
Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.
Failed updates and missing keys
Don’t be surprised if you attempt to apt-get upgrade and things do not work as expected. Additionally, trying to resolve the missing key with procedures on this page will fail too. If you encounter the issues, please file a bug report.
Below is a typical set of failures you will encounter using Debian Hurd as an example. Many ports fail the same way.
$ sudo apt-get update Hit https://snapshot.debian.org sid InRelease Get:1 https://ftp.debian-ports.org unreleased InRelease [32.8 kB] Get:2 https://snapshot.debian.org sid/main Sources/DiffIndex [7876 B] Ign https://ftp.debian-ports.org unreleased InRelease Get:3 https://snapshot.debian.org sid/main hurd-i386 Packages/DiffIndex [7876 B] Ign https://ftp.debian-ports.org unreleased/main Sources/DiffIndex Get:4 https://snapshot.debian.org sid/main Translation-en/DiffIndex [7876 B] Ign https://ftp.debian-ports.org unreleased/main hurd-i386 Packages/DiffIndex Err https://ftp.debian-ports.org unreleased/main Sources Err https://ftp.debian-ports.org unreleased/main hurd-i386 Packages Err https://ftp.debian-ports.org unreleased/main Sources Err https://ftp.debian-ports.org unreleased/main hurd-i386 Packages Err https://ftp.debian-ports.org unreleased/main Sources Err https://ftp.debian-ports.org unreleased/main hurd-i386 Packages Hit https://ftp.debian-ports.org unreleased/main Sources Hit https://ftp.debian-ports.org unreleased/main hurd-i386 Packages Ign https://ftp.debian-ports.org unreleased/main Translation-en Fetched 56.4 kB in 5s (10.4 kB/s) Reading package lists... W: GPG error: https://ftp.debian-ports.org unreleased InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B4C86482705A2CE1 $ sudo apt-get install debian-ports-archive-keyring Reading package lists... Done Building dependency tree Reading state information... Done debian-ports-archive-keyring is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. $ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys B4C86482705A2CE1 gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/documentation/faqs.html for more information gpg: requesting key 705A2CE1 from hkp server keyserver.ubuntu.com gpg: keyserver timed out gpg: keyserver receive failed: keyserver error $ sudo apt-key update gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed gpg: key 65FFB764: "Wheezy Stable Release Key <debian-release@lists.debian.org>" not changed gpg: key 46925553: "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" not changed gpg: key 518E17E1: "Jessie Stable Release Key <debian-release@lists.debian.org>" not changed gpg: key 2B90D010: "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed gpg: key C857C906: "Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed gpg: Total number processed: 7 gpg: unchanged: 7
History
Conectiva implemented something similar in their fork of APT. Debian Developers Colin Walters and Isaac Jones implemented APT Secure for Debian in 2003. Around Christmas 2003, Matt Zimmerman(?) integrated this patch into APT 0.6. In February 2005, Debian started migrating to apt-secure.
(Add any here.)
Debian isn’t Ubuntu and won’t have sudo installed by default. It might be worth changing the usage of sudo, and making the examples use the root account explicitly — SteveKemp
Given the failure modes I’ve seen from gpg —recv-keys, suggesting that a user run it as root doesn’t seem wise to me. But I’ve never actually audited it either.. Despite sudo not being installed by default (in sarge), I think that most of the audience of this page are familiar with it, or can skip over it. — JoeyHess
Does it make any sense to pre-install debian-server-keyring on every debian system? At least the user should be asked if s/he trusts this key. Until now (2006-01-07) the Debian Archive Automatic Signing Key is not in the strong set of keys. Thus is it not possible to test via pathfinders if there is a trust path from my key to the Debian Archive Automatic Signing Key. (See http://pgp.cs.uu.nl/ or http://www.lysator.liu.se/~jc/wotsap/search.html)
Yes, the debian-archive-keyring package will be our key upgrade path for all Debian systems, so it should be installed on all of them, and I assume will be in standard. — JoeyHess
Can we somehow integrate this idea into this page? I think it’s important we also move in this direction. — madduck
I tried making a local repository using apt-move, serving machines running testing and stable. I could not use the same repository for both stable and testing due to incopatibilities between apt v5 and v6. You might highlight this when you get around to writing the bit about crating a repository. I could get v6 working for testing but not for sarge. —?MartinHodges
What does it mean for md5sum to be broken? Since it’s a checksum, I thought the only way it can be broken is that it fail to compute the proper checksum. I have a feeling some other meaning is intended. —?RossBoylan
**it is broken as people were able to actually create a fake certificate that could sign anything and was trusted, they did this by finding a collision, they created a certificate that had the same md5 sum as the certificate they were issued, and where thereby able to give themselves right other than they were granted.—Scientes
***apt has supported sha256 checksums since version 0.7.7, so these will be used in lenny and future releases. —JoeyHess
The idea is that generating a checksum from a file is easy, but recreating a file from a checksum (or making another file generate the same checksum) is very hard (ideally, it would be impossible). «md5sum is being broken» means that that «very hard» path becomes quite possible. In other words, it is becoming (or maybe even has become) feasible to create a «rogue» Debian package that still generates the same checksum as the original true package. —JohnZaitseff
I’d say «theoretically possible in certian cases which may or may not include the Debian Packages files», not «quite possible» —JoeyHess
Does Secure APT cover the possibility that the archive machine itself is broken into? What is there to stop someone «inserting» a rogue version of a Debian package and simply regenerating the Packages and Release/Release.gpg files? I strongly suspect this has been considered, but this document does not mention it. Perhaps a link to appropriate documentation, if such exists? —JohnZaitseff
If someone has root access to your machine they already have everything, they do not need to break apt. Detecting if your machine has been broken into is another topic and something extremely difficult, although there are certainly some things debian could do better. —Scientes
Yes, if this happens we can revoke the archive key, and introduce a new key for the new install of ftp-master and rollback of the archive to its last known good state that we’d have to do after such an incident. —JoeyHess
It might be worth linking to https://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-check-non-debian-releases as it explains briefly how to create the Release and Release.gpg files for repositories. —?JohnLamb
I had a problem where apt gave the dreaded «WARNING: The following packages cannot be authenticated» message despite having debian-archive-keyring installed and having run «apt-get update». It turned out that my sources list contained deb https://security.debian.org/ stable updates/main instead of deb https://security.debian.org/ stable/updates main Apt found the packages file and could find all the debs, but it was not locating the Releases and Releases.gpg files. —AlexKing
Would you add an explanation of why apt-get, apt-key, etc. might run into the GnuPG «resource limit» and how to fix it? This seems to result in the «NO_PUBKEY» warnings even if the respective keys are in the trustdb trusted.gpg. E.g.:
$ sudo apt-key update gpg: keyblock resource `/etc/apt/trusted.gpg.d//webupd8team-java.gpg': resource limit gpg: keyblock resource `/etc/apt/trusted.gpg.d//webupd8team-y-ppa-manager.gpg': resource limit gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" not changed gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed gpg: Total number processed: 4 gpg: unchanged: 4
—AslamKarachiwala
Note: apt-key is in the process of being deprecated, at least for the managing of keys. Discussion in Debian bug 851774 .
CategoryPermalink | CategoryPackageManagement
I recently clean installed Debian 9 on two machines, a desktop and a laptop. I had a problem updating the repositories on both machines. I did eventually get the desktop to update properly, but the laptop is still ‘broken’. Perhaps relevant to the problem is that I did a Net Install on both computers.
My laptop is an old Dell 1420 with an Intel Centrino CPU. Everything else works.
Here’s what I get when I ‘sudo apt-get update’ on my laptop:
Code: Select all
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Hit:3 https://repo.skype.com/deb stable InRelease
Hit:4 http://ftp.us.debian.org/debian stretch-updates InRelease
Err:1 http://security.debian.org stretch/updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
Ign:5 http://ftp.us.debian.org/debian stretch/updates InRelease
Ign:7 http://ftp.us.debian.org/debian stretch/updates Release
Err:4 http://ftp.us.debian.org/debian stretch-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Get:6 http://ftp.us.debian.org/debian stretch Release [118 kB]
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Get:11 http://ftp.us.debian.org/debian stretch Release.gpg [2,373 B]
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:11 http://ftp.us.debian.org/debian stretch Release.gpg
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Get:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Get:13 http://ftp.us.debian.org/debian stretch/contrib Sources [44.7 kB]
Get:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages [7,095 kB]
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Hit:15 http://ftp.us.debian.org/debian stretch/main Sources
Hit:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Hit:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Hit:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Ign:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Ign:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Hit:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Hit:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Ign:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Ign:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Ign:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Hit:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Ign:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Err:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
404 Not Found [IP: 64.50.233.100 80]
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Hit:15 http://ftp.us.debian.org/debian stretch/main Sources
Hit:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Hit:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Hit:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Hit:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Hit:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Ign:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Ign:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Ign:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Ign:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Ign:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Get:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages [77.9 kB]
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Hit:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Ign:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Ign:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Err:19 http://ftp.us.debian.org/debian stretch/main Translation-en
BZ2_bzread: /var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_stretch_main_i18n_Translation-en.bz2 Read error (-5: DATA_ERROR_MAGIC)
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Fetched 120 kB in 6s (17.4 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: The repository 'http://ftp.us.debian.org/debian stretch/updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.us.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: GPG error: http://ftp.us.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: The repository 'http://ftp.us.debian.org/debian stretch Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch-updates/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
E: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/updates/main/source/Sources 404 Not Found [IP: 64.50.233.100 80]
E: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/main/i18n/Translation-en BZ2_bzread: /var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_stretch_main_i18n_Translation-en.bz2 Read error (-5: DATA_ERROR_MAGIC)
W: Some index files failed to download. They have been ignored, or old ones used instead.
Here’s what I’ve tried so far:
1. I read the ‘SecureApt’ material on the Debian Wiki. Based on that material, I searched for the missing keys, found them and put them in my gpg keyring. But that was wasted work, because I found that the same keys were already present in the ‘apt-key list’. So I did not export them to ‘apt-key’. It appears as though the keys are present and just not being recognized by the repo servers.
2. I checked the file sources.list multiple times and changed the entries to conform with what I found on the Debian Wiki. No joy.
Here’s my sources.list file contents:
Code: Select all
deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb http://ftp.us.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch-updates main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch/updates main contrib non-free
3. I deleted the ‘lists’ subdirectory in /var/lib/apt/ and allowed the update process to reform the information.
4. I found the permissions for the file trusted.gpg were ‘0600’ and I set them to ‘0644’, thinking that maybe this was a permission issue.
Like I stated, I did solve this on my desktop machine (and old AMD dual core) but can’t figure out what I did that worked. I’ll take notes next time.
I am reluctant to uninstall and then reinstall the Debian Archrive Keyring.
Thanks in advance.
You might see a missing public GPG key error («NO_PUBKEY») on Debian, Ubuntu or Linux Mint when running apt update / apt-get update. This can happen when you add a repository, and you forget to add its public key, or maybe there was a temporary key server error when trying to import the GPG key.
When running an apt update / apt-get update, or trying to refresh the software sources using some GUI tool, apt will complain about not being able to download all repository indexes, showing errors like this:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ppa.launchpad.net/linuxuprising/apps/ubuntu bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8CACC073C3DB2A
W: Failed to fetch http://ppa.launchpad.net/linuxuprising/apps/ubuntu/dists/bionic/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8CACC073C3DB2A
W: Some index files failed to download. They have been ignored, or old ones used instead.This is just an example. This error can occur not only with Launchpad PPA repositories, but any repository, like those provided by Google, Vivaldi or Node.js, etc.
The error message says that the repository is not updated, and the previous index files will be used. That means you won’t receive updates from that repository, so you should import the public GPG key to fix this issue.
This is how to easily fix the The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ... error. It should work on Debian, Ubuntu, Linux Mint, Pop!_OS, elementary OS, and any other Linux distribution based on Debian or Ubuntu.
Solution 1: Quick NO_PUBKEY fix for a single repository / key.
If you’re only missing one public GPG repository key, you can run this command on your Ubuntu / Linux Mint / Pop!_OS / Debian system to fix it:
sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys THE_MISSING_KEY_HEREYou’ll have to replace THE_MISSING_KEY_HERE with the missing GPG key. The key is shown in the apt update / apt-get update log, after NO_PUBKEY. For example, in the error message I posted above, the missing GPG key that must be used in this command is EA8CACC073C3DB2A.
Also see: How To Fix «Could not get lock /var/lib/dpkg/lock — open (11 Resource temporarily unavailable)» Errors
Solution 2: Batch import all missing GPG keys.
When you’re missing multiple public OpenPGP keys you can use a this one-liner to import all of them in one go:
sudo apt update 2>&1 1>/dev/null | sed -ne 's/.*NO_PUBKEY //p' | while read key; do if ! [[ ${keys[*]} =~ "$key" ]]; then sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys "$key"; keys+=("$key"); fi; doneThere’s no need to change any part of the command, just run it as is. This also works for fixing a single missing GPG key, but it’s a bit redundant. Nonetheless, it works with any number of missing GPG keys.
The command runs sudo apt update to update your software sources and detect missing GPG keys, and it imports each missing key using hkp://pool.sks-keyservers.net:80 as its server. This server is synchronized with many other servers continuously, so it should have updated keys. You could use some other server if you wish.
The command also uses an array to store missing GPG keys for which we’ve already imported the key. Without that, the key import command would run twice for each missing key.
You might also be interested in: How To Make A PGP Key On Linux Using A GUI (And Publish It)
Когда вы пытаетесь установить программу из сторонних репозиториев разработчика программы или из PPA вы можете столкнуться с ошибкой gpg недоступен открытый ключ. Это не значит, что программа платная и вам надо приобрести к ней ключ. Дело в том, что для защиты репозиториев от подмены используется подписывание пакетов с помощью GPG ключей.
Для того чтобы пакетный менеджер мог проверить подпись пакета, который вы пытаетесь установить необходимо чтобы у вас в системе был GPG ключ этого репозитория. Для официальных репозиториев ключи поставляются автоматически, а вот для сторонних надо их вручную добавить. Давайте рассмотрим пути решения этой проблемы.
Как вы можете видеть на снимке, программа сообщает какой именно репозиторий вызвал проблему и какого ключа не хватает:
Самый простой и правильный способ решить эту проблему — добавить ключ в систему. Обычно, там где вы нашли информацию о том как добавить репозиторий есть и информация как добавить его ключ. К тому же в выводе информации об ошибке пакетный менеджер сообщает какой ключ он ожидает увидеть. Вы можете попытаться искать такой ключ в Google или на серверах ключей Ubuntu.
В данном случае не хватает ключа от репозитория Google — 78BD65473CB3BD13. Можно попытаться получить его с серверов Ubuntu:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 78BD65473CB3BD13
Или с другого сервера:
sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 78BD65473CB3BD13
Если у вас нет ключа от PPA или любого другого репозитория, связанного с разработчиками Ubuntu это должно помочь. Ну и ключ от репозитория Google там есть:
Если же вы получаете ошибку. Ищите данный ключ в интернете, если ключа нет на сайте разработчика, то его можно найти на различных форумах. Скачайте его и добавьте в систему такой командой:
sudo apt-key add /путь/к/файлу.gpg
Ещё одна альтернатива первому способу — попытаться использовать графическую утилиту Y-PPA-Manager от webupd8. Для её установки выполните такие команды:
sudo add-apt-repository ppa:webupd8team/y-ppa-manager
sudo apt install y-ppa-manager
Затем запустите программу из главного меню или терминала. В главном окне программы выберите Advanced:
В открывшемся окне выберите Try to import all missing GPG keys, а потом дождитесь завершения работы утилиты:
После того как ключ добавлен вы можете снова попытаться импортировать репозитории и на этот раз у вас должно всё получится.
Выводы
В этой небольшой статье мы рассмотрели что делать когда возникает ошибка gpg недоступен открытый ключ и как исправить эту ошибку. Даже не думайте, что что можно обойтись без ключа. Все методы, которые позволяли просить APT игнорировать проверку ключей в современных версиях дистрибутива уже не работают. Если у вас остались вопросы, спрашивайте в комментариях!
Статья распространяется под лицензией Creative Commons ShareAlike 4.0 при копировании материала ссылка на источник обязательна .
Об авторе
Основатель и администратор сайта losst.ru, увлекаюсь открытым программным обеспечением и операционной системой Linux. В качестве основной ОС сейчас использую Ubuntu. Кроме Linux, интересуюсь всем, что связано с информационными технологиями и современной наукой.
Иногда после добавления в систему нового репозитория или истечения срока действия ключа уже используемого репозитория вы можете наблюдать сообщение которое например содержит такую фразу: NO_PUBKEY 85C2394343D5CDFA.
Для решения этой проблемы мы написали самую полную инструкцию.
Как добавить этот ключ и устранить эту проблему? — возможно это один из наиболее часто возникающих вопросов у всех кто добавлял репозитории в свою систему кроме системных по умолчанию.
В этой статье я постараюсь изложить все варианты решения которые я встретил в Интернет на разных сайтах.
Поэтому хочу попросить вас дочитать ее до конца, а не останавливаться на первой команде, тем более если она выдала у вас ошибку.
Сразу для понимания самой проблемы, определимся зачем нужны эти самые ключи и почему их требует система.
А нужны они всего лишь для одной цели — защита репозитория от подмены злоумышленником в нем информации по технологии открытых/закрытых ключей. Наша система хранит у себя первую часть ключа (открытый ключ), а сам репозиторий откуда мы берем файлы подписан второй частью ключа (закрытый ключ), который нам не доступен.
Другими словами открытый ключ репозитория который хранится в нашей системе — это своего рода цифровая подпись репозитория. Он гарантирует что все что мы загружаем из репозитория — легально и безопасно. Тем более в последних дистрибутивах, если репозиторий не подписан — он считается не достоверным и с него игнорируются все программы. Но не буду углубляться в эту тему сейчас, она достойна еще одной статьи, что бы рассказать как это работает, поэтому продолжим.
За пример возьмем Debian-подобную систему.
Итак, наша система хранит у себя открытые ключи репозиториев в двух местах:
- Файл
/etc/apt/trusted.gpg— это один большой файл, в котором может быть информация о нескольких ключах сразу. - Папка
/etc/apt/trusted.gpg.d/— в этой директории может находится много файлов с разными названиями, подобных указанному в прошлом пункте.
По умолчанию в ней обычно уже находятся такие файлы как:
ubuntu-keyring-2012-archive.gpg
ubuntu-keyring-2012-cdimage.gpg
ubuntu-keyring-2018-archive.gpg
Сразу хочу обратить внимание на расширение файла в этой директории. Система обрабатывает только два возможных варианта файлов ключей.- файл ключа <имя фала>.gpg — содержимое хранится в двоичном(бинарном) виде.
- файл ключа <имя фала>.asc — содержимое файла должно быть в текстовом виде.
Причем содержимое файла и его расширение не стоит путать между собой, т.е. если у вас ключа в файле будет в текстовом виде, а вы укажете у файла расширение .gpg, то система его попросту проигнорирует.
Открытые ключи, необходимые системе для того, что бы проверить подлинность репозитория к которому она обращается, обычно могут находиться в двух местах:
- На публичных общедоступных серверах хранения публичных ключей. В этом случае рекомендуется брать их из гарантированных источников.
Например:
http://keyserver.ubuntu.com/
https://keyring.debian.org/
http://keys.gnupg.net/
https://pgp.mit.edu/ - Непосредственно у разработчика репозитория. Обычно сам поставщик репозитория об этом и сообщает у себя на странице и публикует краткую инструкцию как его добавить.
- Например, вы можете увидеть вот такую строчку:
wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
которая добавляет ключ репозитория непосредственно в файл/etc/apt/trusted.gpg - или вот такого плана:
sudo curl -o /etc/apt/trusted.gpg.d/agp-debian-key.gpg http://download.ag-projects.com/agp-debian-key.gpg
которая кладет файл репозитория в директорию/etc/apt/trusted.gpg.d/
- Например, вы можете увидеть вот такую строчку:
Мы рассмотрим добавление ключа из серверов хранения открытых ключей. Так как 90% ключей может быть обнаружено на них, а остальные 10% нужно смотреть как их добавить непосредственно на сайте разработчика репозитория.
Для этого запускаем терминал и вводим всего одну лишь команду:
$ sudo apt-key adv --keyserver name_keyserver --recv-keys key_id
где
name_keyserver — берем один из доверенных источников публичных ключей. Например keyserver.ubuntu.com.
key_id — цифровой идентификатор необходимого нам ключа. Если брать пример нашего случая, то это будет 85C2394343D5CDFA. Можно также вначале этого кода добавить 0x, что будет говорить системе что это число в шестнадцатеричной системе исчисления.
Итак, вводим команду:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x85C2394343D5CDFA
Противник повержен и ключ добавлен в систему !
Теперь я хотел бы озвучить разные дополнительные плюшки решения этой проблемы.
- Если у вас всего один лишь ключ, то строчку можно еще укоротить на пару символов и вместо ключа
--recv-keysиспользовать просто:--recv
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 0x85C2394343D5CDFA - Также можно не указывать спецсимвол 0x в цифровом идентификаторе ключа:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 85C2394343D5CDFA - Бывают случаи когда на эту команду система не реагирует и начинает долго думать. Спасти ситуацию может следующий синтаксис указания сервера ключей:
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 85C2394343D5CDFA - Если у вас выход в интернет доступен только через прокси, тогда необходимо добавить соответствующую опцию:
--keyserver-options http-proxy="http://your_proxy_server:port"
где
your_proxy_server — имя или IP-адрес вашего прокси
port — его порт
В результате получим приблизительно вот такой вид команды
$ sudo apt-key adv --keyserver-options http-proxy="http://192.168.0.1:3128" --keyserver keyserver.ubuntu.com --recv 85C2394343D5CDFA - Если у вас недостает сразу много ключей и вы не хотите добавлять каждый по очереди, вам должна помочь вот такая команда:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys `sudo apt-get update 2>&1 | grep -o '[0-9A-Z]{16}$' | xargs`
Которая создаст список всех недостающих ключей и сразу общей кучей их добавит. В этой команде также можно добавлять опции указанные в пунктах 3 и 4. - Еще есть вариант «как делали раньше». Это в том случае, если не помогло все вышесказанное.
- Вначале получаем публичный ключ и сохраняем его непосредственно в пользовательской базе. Ключи у каждого пользователя хранятся в папке ~/.gnupg, которая расположена в его домашней папке.
$ gpg --keyserver keyserver.ubuntu.com --recv-keys 0x85C2394343D5CDFA
Эту команду также можно писать в интерпретациях как мы описывали выше. - А теперь делаем экспорт этого ключа уже из нашей пользовательской базы и добавляем его в базу системных ключей APT
$ gpg --export --armor 85C2394343D5CDFA | sudo apt-key add --
или так
$ gpg -a --output /tmp/pub.asc --export 85C2394343D5CDFA
$ sudo apt-key add /tmp/pub.asc - Или еще проще. Просто проведите экспорт ключа сразу в папку
/etc/apt/trusted.gpg.d/
$ sudo gpg -a --output /etc/apt/trusted.gpg.d/required_key.asc --export 85C2394343D5CDFA
- Вначале получаем публичный ключ и сохраняем его непосредственно в пользовательской базе. Ключи у каждого пользователя хранятся в папке ~/.gnupg, которая расположена в его домашней папке.
Если у вас есть ключ репозитория в виде файла, его также можно добавить используя графическую утилиту
$ sudo software-properties-gtk
Как вы догадались, через кнопку «Импортировать файл ключа».
Но как по мне это больше баловство чем удобство, особенно учитывая то, что большинство ключей в файлах не бывает.
В этой же утилите можно просмотреть те ключи, которые уже установленны в системе или удалить.
Все. Вроде ничего не упустил.
Помогла ли вам эта статья?
Или вы знаете еще что-то, чего не указано в этой статье?
Все замечания и неточности прошу указывать в комментариях.
Буду сразу стараться оперативно исправлять ошибки или дополнять статью.
9669112cookie-checkИсправляем ошибку NO_PUBKEY или как добавить ключ репозитория
Автор публикации
Ubuntu*Pack / ualinux.com
Комментарии: 1033Публикации: 956Регистрация: 10-06-2016
Comments
notthatbreezy
added a commit
to raster-foundry/raster-foundry-docs
that referenced
this issue
Dec 19, 2017
notthatbreezy
added a commit
to raster-foundry/raster-foundry-docs
that referenced
this issue
Dec 19, 2017
* Update dependency pinning to be slightly more restrictive * Update readme instructions * Add yarn GPG key manually See: yarnpkg/yarn#4453
rclarkburns
added a commit
to castiron/puppet-yarn
that referenced
this issue
May 15, 2018
danigunawan
added a commit
to danigunawan/Computer-Vision-and-Deep-Learning-Setup
that referenced
this issue
Jan 5, 2019
Development Area(s) of Interest* Accelerated Computing Autonomous Machines Deep Learning Design & Visualization Game Development Self Driving Cars Smart Cities Virtual Reality Application Domain : - Image Classification - Facial Recognition - Action Recognition - Big Data - Natural Language Processing - Medical - Speech Recognition - Object Recognition - Machine Learning Algorithms/Research Deep Learning Framework * : - Caffe - Caffe2 - Chainer - CNTK(Microsoft Cognitive Toolkit) - Deeplearning4j - Keras - MATLAB - MxNet - TensorFlow - Theano - Torch/PyTorch TRELLO : https://trello.com/b/wKBiqfM7/data-scientist ### ROADMAP DATA SCIENTIST ### https://github.com/MrMimic/data-scientist-roadmap https://github.com/bulutyazilim/awesome-datascience REFF: https://www.petanikode.com/python-virtualenv/ TOOLS : MINICONDA ANACONDA # https://conda.io/docs/user-guide/install/linux.html, #https://github.com/danigunawan/Fullstack-Python-Django-Dev/blob/master/16_djangolevelone/dev%20tools/1.django%20level%20one.txt ENV : - PIP - VIRTUALENV DEEP LEARN : - YOLO - TENSORFLOW - OPENCV INSTALL PYTHON UBUNTU 16.04 ============================ sudo apt-get -y install python sudo apt-get -y install python3 which python ls -l /usr/bin/python 1. PIP REFF :How to Install Pip on Ubuntu 16.04https://www.abiraf.com/blog/modules-python-yang-wajib-dimiliki---virtualenv-dan-pip https://www.petanikode.com/python-virtualenv/ sudo apt-get update && sudo apt-get -y upgrade sudo apt-get install python-pip pip -V # PY2 pip3 -V # PY3 pip search package_name pip install package_name pip uninstall package_name pip --help #ALTERNATE sudo easy_install pip # PY2 sudo easy_install pip3 # PY3 2. VIRTUAL ENV apt install virtualenv apt install python-virtualenv # PY 2 apt install python3-virtualenv # PY 3 # Alternate sudo pip install virtualenv # install ENV LEWAT PIP # Latest Version Beta No Stable sudo pip install https://github.com/pypa/virtualenv/tarball/develop # With Curl curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-X.X.tar.gz tar xvfz virtualenv-X.X.tar.gz cd virtualenv-X.X sudo python setup.py install # CEK VIRTUAL ENV which virtualenv virtualenv --version # Membuat Virtual ENV mkdir my-project cd my-project virtualenv my-env Saat kita mengetik perintah virtualenv my-env, virtualenv akan otomatis membuat lingkungan virtual dan direktori baru bernama my-env. my-project/ └── my-env/ ├── bin ├── include ├── lib ├── local └── pip-selfcheck.json # Aktifkan Virtual Env source my-env/bin/activate atau . my-env/bin/activate # install Flask With PIP pip install Flask flask --version jika error : . my-env/bin/activate # masuk dulu ke env agar flask bisa flask --version ######## DEEP LEARNING AND COMPUTER VISION ######### # Awesome Deep Learning (RECOGNITION) https://github.com/daicoolb/Awesome-Object-Detections https://github.com/amusi/awesome-object-detection https://github.com/kjw0612/awesome-deep-visionHomepage# Video Analytics - Yolo # Realtime Object Detection Darknet - OpenFace # Face Recognition # REQUIRMENT SPEC DEEP LEARNING : - NVDIA GPU, Drivers - CUDA - cuDDN Libraries - Tensorflow - Darknet YOLO - Theano - Linux Ubuntu 16.04, 17.10, 18.04 - Keras - OpenCV - Raspberry + Camera ## INSTALL ENVIRONMENT DEEP LEARNING & COMPUTER VISION # INSTALL NVDIA + CUDA 9 UBUNTU 16.04 ON LAPTOP https://gist.github.com/zhanwenchen/e520767a409325d9961072f666815bb8#install-nvidia-graphics-driver-via-apt-get https://www.linuxsec.org/2018/05/cara-install-driver-nvidia-terbaru-di.html https://medium.com/@omar.merghany95/how-to-install-tensorflow-gpu-with-cuda-toolkit-9-0-and-cudnn-7-2-1-on-aws-ec2-ubuntu-16-04-c46b469a7358 https://medium.com/@yifanguo1129/install-cuda-9-0-and-cudnn-7-2-on-ubuntu-18-04-d9a7aeb89105 https://askubuntu.com/questions/967332/how-can-i-install-cuda-9-on-ubuntu-17-10 https://askubuntu.com/questions/995542/installing-cuda-8-on-ubuntu-16-unable-to-locate-package-cudaSetting up Ubuntu 16.04 + CUDA + GPU for deep learning with PythonHow to install Tensorflow GPU with CUDA 10.0 for python on Ubuntuhttp://www.advancedclustering.com/act_kb/installing-nvidia-drivers-rhel-centos-7/ # INSTALL ON CENTOS https://davidwpearson.wordpress.com/2017/12/21/installing-nvidias-cuda-9-1-on-fedora-27/ # INSTALL ON FEDORA https://ddkang.github.io/2018/11/05/installing-cuda.html http://security-plus-data-science.blogspot.com/2018/01/setting-up-cuda-9-on-fedora-27.html https://nicolas-bettenburg.com/2018-08-18-ubuntu-18-04-deep-learning-box/ https://qiita.com/ishizakiyu/items/bcf1b76f1f4f02b0ac57 Install CUDA 9.2, cuDNN 7.2.1, Anaconda and PyTorch on Ubuntu 16.04 : https://gist.github.com/kylemcdonald/3ae0b88a1bf91afc00ba441fe6823a17 - INSTALL DRIVER NVDIA (AUTOMATIS RECOMMENDED) sudo ubuntu-drivers autoinstall # akan menginstall CUDA AUTOMATIS - INSTALL DRIVER NVDIA MANUAL (MANUAL) ubuntu-drivers devices # CEK sudo apt install nvidia-driver-390 # 390 seri di ubuntu driver cek atau kadang 396 tergantung di pengeckan - INSTALL DRIVER NVDIA VERSI BETA (MANUAL) sudo add-apt-repository ppa:graphics-drivers/ppa ubuntu-drivers devices # CHECK KEMBALI # INSTALL ENV DEEP LEARNING https://github.com/heethesh/Computer-Vision-and-Deep-Learning-Setup - INSTALL CUDA TOOLKIT sudo apt install nvidia-cuda-toolkit nvcc --version - INSTALL TENSORFLOW ######## END DEEP LEARNING AND COMPUTER VISION ######### ######## DEEP LEARNING (CHATBOT) ######### ######## END DEEP LEARNING (CHATBOT) ######### ##### BIG DATA ##### - Hadoop ###### IMPROVISATION AND EXPLORE ###### ## YOLO EXPLORE ## # SUPERVISELY CLUSTER # MEDIA STREAMING SERVER @ REFF AWESOME : https://github.com/topics/media-server https://github.com/Kickball/awesome-selfhosted https://github.com/ebu/awesome-broadcasting https://github.com/manuzhang/awesome-streaming @ List Media Server Streaming : ~ Comparison : https://en.wikipedia.org/wiki/Comparison_of_streaming_media_systems - wowza - kurento - red5 - nginxRTMP - Ant Media Server - OpenVidu - Jitsi - Flussonic - Kaltura - Node RTSP RTMP Server - https://github.com/R0GGER/mistserver - helixproduction - https://github.com/daniulive/SmarterStreaming - https://hackernoon.com/build-live-video-streaming-server-use-ffmpeg-nginx-rtmp-module-nodejs-82e1bb58949e @ Referensi Spec Server Streaming Yang Bagus - Low Latency WebRTC - Adaptive Bitrate - Hardware Encoding(GPU) - Cluster - Live Publishing to Periscope, Facebook & Youtube - All Community Edition Features - RTMP, RTSP, MP4, HLS - WebRTC to RTMP Adapter - Live Publishing To Periscope - 360 Degree Live & VoD Streams - Management Dashboard @ Adaptive Streaming With Nginx https://licson.net/post/setting-up-adaptive-streaming-with-nginx/ @ Tools : - Openbroadcaster - CasparCG # https://casparcgforum.org/t/simple-video-playout/61, #https://drive.google.com/drive/u/1/folders/12xcrh-LiAatzf6ppW4pyQthokhi55qSN - Wirecast - VLC - FFMPEG - handbrake # Transcoding @ Transcoding : - # How Streaming RTSP / RTMP on client side ex: vlc client with rtmpt://ipdaddress:port # POSTING IMAGE YOLO ON PHP INSERT DB https://stackoverflow.com/questions/45792720/cant-execute-yolo-darknet-from-php-exec-predictions-png-never-appears # MESSAGE QUEUE (ANTRIAN) - KAFKA - REDIS ## END YOLO EXPLORE ## ## ABSENCE FACE RECOGNITION ## https://github.com/topics/attendance-system https://github.com/yodist/face-recognition-lbph ## END ABSENCE FACE RECOGNITION ## ###### TROUBLE SHOOTING ###### 1. Pip is not working: ImportError: No module named 'pip._internal' REFF : https://askubuntu.com/questions/1025189/pip-is-not-working-importerror-no-module-named-pip-internal 2. GPG error: https://dl.yarnpkg.com/debian stable InRelease NO_PUBKEY E074D16EB6FF4DE3 #4453 yarnpkg/yarn#4453 - Solution : curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - ###### BENCHMARK PLATFORM ###### https://lewatmana.com/kota/jakarta-pusat/
yarnpkg
locked as resolved and limited conversation to collaborators
Feb 4, 2021
kingpinzs
referenced
this issue
in yarnpkg/releases
Jan 24, 2023
