Go to TogaWare.com Home Page. GNU/Linux Desktop Survival Guide
by Graham Williams
Duck Duck Go


Archive Signatures and Keys

20191217 The apt tool supports signing of a repository's Release file to ensure the integrity of a Debian/Ubuntu archive. The signature is contained in Release.gpg. The Release file is signed using a private key, and a public key is then used to ensure the signature is correct.

The following from an apt-get command is often the first sign of a missing key:

  W: GPG error: ftp://ftp.nerim.net unstable Release: The following 
  signatures couldn't be verified because the public key is not 
  available: NO_PUBKEY 07DC563D1F41B907

Packages can still be installed but messages like the following will be displayed:

  WARNING: The following packages cannot be authenticated!
  Install these packages without verification [y/N]?

Interacting with the apt-key command is simple, with just a few sub-commands: list, add, del, update. The list command will list the public keys that are currently accepted and the add command allows a public key to be added. The key itself needs to be downloaded from a key server using gpg.

To download a key and install it locally the single adv command can be utilised (the key can be identified using the last 8 characters of the id that apt-get reports that it can not verify):

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 1F41B907

A more explicit specification of the keyserver may sometimes be required, often due to firewall restrictions:

  $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 1F41B907

Underneath the following three steps are undertaken:

  $ gpg --keyserver keyring.debian.org --recv-key 1F41B907
  $ gpg --armor --export 1F41B907 | sudo apt-key add -

The warning report should now disappear (at least for this key/repository).

To list the keys and to delete keys if desired:

  $ apt-key list
  $ sudo apt-key del 1F41B907

Support further development by purchasing the PDF version of the book.
Other online resources include the Data Science Desktop Survival Guide.
Books available on Amazon include Data Mining with Rattle and Essentials of Data Science.
Popular open source software includes rattle and wajig.
Hosted by Togaware, a pioneer of free and open source software since 1984.
Copyright © 1995-2020 Togaware Pty Ltd. Creative Commons ShareAlike V4.