Friday, May 23, 2008

Debian, APT and gpg keys

For quite some time now Debian's repositories have been relying on gpg keys to ensure the authenticity and integrity of their packages.

One thing no one had the decency of explaining is how to get a certain repository's key into one's "trusted ring" so apt won't complain when downloading packages from there.

Well, I'm going to go right to the point and tell exactly what to do.

  1. Add the repository's address to sources.list (if you have any doubts try man 5 sources.list)
  2. Reload the package lists (through "apt-get update" or Synaptic's "Reload"). It will complain about not having the key to the repository. In that complaint, it will show you the ID of the repository. Write down the last 8 digits of it.
  3. With this information in hands, you're able to download that repository's key using the following command (replace XXXXXXXX with the number you wrote down):
  4. gpg --keyserver --recv-keys XXXXXXXX
  5. Now all you have to do is to import that key into apt's key database:
  6. gpg --armor --export XXXXXXXX | apt-key add -
  7. And you're done. Now run refresh the package lists again and apt won't bug you anymore.


Paulo "Limão" Simões said...

A Linux Jedi Master? I used to work on RedHat and Fedora for years, always had trouble trying to understand how to completely dominate the OS. And then I gave that up...
Can I be your padawan apprentice?
Show me the ways of the Force!