Is there a way to retrieve GPG key without actually installing a deb package?
UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a way to retrieve GPG key without actually installing a deb package?
Hi!
I want to install ZFS via zfs-fuse package on Ubuntu 9.04, so I follow the instructions from Ubuntu Wiki.
I add repositories at http://ppa.launchpad.net/brcha/ but while apt-getting I get warning that the package cannot be authenticated.
Since there is no information about needed apt-key in the Ubuntu ZFS wiki and since I'm pretty paranoid, I try both keys of package maintainer, Filip Brcic.
Code:
pub 1024D/162CE87F 2007-06-15
uid Filip Brcic <brcha@gna.org>
uid Filip Brcic <fbrcic@gmail.com>
uid Filip Brcic <brcha@laposte.net>
uid Filip Brcic <brcha@galeb.etf.bg.ac.yu>
uid Filip Brcic <brcha@users.sourceforge.net>
uid [jpeg image of size 4315]
sub 1024g/AC1A891A 2007-06-15
pub 1024R/48A22A95 2009-01-21
uid Launchpad PPA for Filip Brcic
But still get the same warning that the package can't be authenticated.
So, there is my question: how can I retrieve package gpg-key without actually apt-get installing it?
Yes, I know that I can go "https://launchpad.net/~brcha/+archive/ppa -> Technical details about this PPA -> Signing key", but there's actually one of the mentioned above keys that don't work. And I know that at first I need to properly import gpg signature, then run apt-get update and apt-get install. Just in case, I'll post my CLI output:
$ sudo apt-key list
Code:
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 1024D/162CE87F 2007-06-15
uid Filip Brcic <brcha@gna.org>
uid Filip Brcic <fbrcic@gmail.com>
uid Filip Brcic <brcha@laposte.net>
uid Filip Brcic <brcha@galeb.etf.bg.ac.yu>
uid Filip Brcic <brcha@users.sourceforge.net>
uid [jpeg image of size 4315]
sub 1024g/AC1A891A 2007-06-15
pub 1024R/48A22A95 2009-01-21
uid Launchpad PPA for Filip Brcic
Code:
xxxxx@xxxxx:~$ sudo apt-get update
Hit http://archive.canonical.com jaunty Release.gpg
Ign http://archive.canonical.com jaunty/partner Translation-en_US
Hit http://ppa.launchpad.net jaunty Release.gpg
Ign http://ppa.launchpad.net jaunty/main Translation-en_US
Hit http://archive.canonical.com jaunty Release
Hit http://ppa.launchpad.net jaunty Release.gpg
Ign http://ppa.launchpad.net jaunty/main Translation-en_US
Ign http://ppa.launchpad.net jaunty Release.gpg
Ign http://ppa.launchpad.net jaunty/main Translation-en_US
Hit http://ppa.launchpad.net jaunty Release
Hit http://ppa.launchpad.net jaunty Release
Get:1 http://ppa.launchpad.net jaunty Release [31.1kB]
Hit http://archive.canonical.com jaunty/partner Packages
Hit http://ppa.launchpad.net jaunty/main Packages
Ign http://ppa.launchpad.net jaunty/main Packages
Hit http://ppa.launchpad.net jaunty/main Packages
Hit http://ppa.launchpad.net jaunty/main Sources
Hit http://ppa.launchpad.net jaunty/main Packages
Hit http://archive.ubuntu.com jaunty Release.gpg
Ign http://archive.ubuntu.com jaunty/main Translation-en_US
Ign http://archive.ubuntu.com jaunty/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-updates Release.gpg
Ign http://archive.ubuntu.com jaunty-updates/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-security Release.gpg
Ign http://archive.ubuntu.com jaunty-security/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-backports Release.gpg
Ign http://archive.ubuntu.com jaunty-backports/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/multiverse Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/universe Translation-en_US
Hit http://archive.ubuntu.com jaunty Release
Hit http://archive.ubuntu.com jaunty-updates Release
Hit http://archive.ubuntu.com jaunty-security Release
Hit http://archive.ubuntu.com jaunty-backports Release
Hit http://archive.ubuntu.com jaunty/main Packages
Hit http://archive.ubuntu.com jaunty/restricted Packages
Hit http://archive.ubuntu.com jaunty/main Sources
Hit http://archive.ubuntu.com jaunty/restricted Sources
Hit http://archive.ubuntu.com jaunty/universe Packages
Hit http://archive.ubuntu.com jaunty/universe Sources
Hit http://archive.ubuntu.com jaunty/multiverse Packages
Hit http://archive.ubuntu.com jaunty/multiverse Sources
Hit http://archive.ubuntu.com jaunty-updates/main Packages
Hit http://archive.ubuntu.com jaunty-updates/restricted Packages
Hit http://archive.ubuntu.com jaunty-updates/main Sources
Hit http://archive.ubuntu.com jaunty-updates/restricted Sources
Hit http://archive.ubuntu.com jaunty-updates/universe Packages
Hit http://archive.ubuntu.com jaunty-updates/universe Sources
Hit http://archive.ubuntu.com jaunty-updates/multiverse Packages
Hit http://archive.ubuntu.com jaunty-updates/multiverse Sources
Hit http://archive.ubuntu.com jaunty-security/main Packages
Hit http://archive.ubuntu.com jaunty-security/restricted Packages
Hit http://archive.ubuntu.com jaunty-security/main Sources
Hit http://archive.ubuntu.com jaunty-security/restricted Sources
Hit http://archive.ubuntu.com jaunty-security/universe Packages
Hit http://archive.ubuntu.com jaunty-security/universe Sources
Hit http://archive.ubuntu.com jaunty-security/multiverse Packages
Hit http://archive.ubuntu.com jaunty-security/multiverse Sources
Hit http://archive.ubuntu.com jaunty-backports/restricted Packages
Hit http://archive.ubuntu.com jaunty-backports/main Packages
Hit http://archive.ubuntu.com jaunty-backports/multiverse Packages
Hit http://archive.ubuntu.com jaunty-backports/universe Packages
Fetched 1B in 1s (1B/s)
Reading package lists... Done
xxxxx@xxxxx:~$ sudo apt-get install zfs-fuse
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libaio1
The following NEW packages will be installed:
libaio1 zfs-fuse
0 upgraded, 2 newly installed, 0 to remove and 3 not upgraded.
Need to get 1518kB of archives.
After this operation, 4338kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
zfs-fuse
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated
Click here to see the post LQ members have rated as the most helpful post in this thread.
This is not an Ubuntu issue, this is an issue of Debian Apt security. I wonder, why moderators moved my thread here, in a forum for discussing Ubuntu Linux.
By the way, I've already described this problem on http://forums.ubuntu.com/, and no one was able to resolve it.
Thanks for the moderation policy, I guess that no one will resolve it here too...
Last edited by mikropolip; 12-03-2009 at 07:46 PM.
Before packages from a ppa can be authenticated the key has to be added. I did not see instructions for adding the key sig for the source you added. Did you add it? The latest method for addin ppa's from launchpad is of course. sudo add-apt-repository ppa:<name>
I doubt this helps with the paranoia issue. But you should see and get verification of the key and package being added to synaptic...and you havent actually installed anything yet...just added the package to your package manager.
This is not an Ubuntu issue, this is an issue of Debian Apt security. I wonder, why moderators moved my thread here, in a forum for discussing Ubuntu Linux.
By the way, I've already described this problem on http://forums.ubuntu.com/, and no one was able to resolve it.
Thanks for the moderation policy, I guess that no one will resolve it here too...
mikropolip, I agree that this is security-related, but due to the Ubuntu-specific nature of the issue, I feel it belongs better here in Ubuntu, which is why I moved it. FWIW, I did leave a permanent redirect behind in Security, thereby granting your question even more exposure than it originally had.
spiderbatdad, thank you for a suggestion, but, as far as I understand, md5sum is actually stored in a package itself, so it won't help me to determine whether it was compromised or not.
I can see that you are absolutely correct regarding the security issue when a package cannot be authenticated. The whole system falls apart. I thought it might be possible to find published md5sums for the package and compare, but this does not provide the same integrity as release gpg.
I did try adding the repo and importing the proper sig. 48A22A95, but I ended up with the same warning. Sorry I have no clue to your original question...an archive of origs would be nice, if they could be hosted by launchpad.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Is there a way to retrieve GPG key without actually installing a deb package?
