LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu
User Name
Password
Ubuntu This forum is for the discussion of Ubuntu Linux.

Notices

Reply
 
Search this Thread
Old 12-03-2009, 12:09 PM   #1
mikropolip
LQ Newbie
 
Registered: Dec 2009
Posts: 5

Rep: Reputation: 0
Question Is there a way to retrieve GPG key without actually installing a deb package?


Hi!
I want to install ZFS via zfs-fuse package on Ubuntu 9.04, so I follow the instructions from Ubuntu Wiki.

I add repositories at http://ppa.launchpad.net/brcha/ but while apt-getting I get warning that the package cannot be authenticated.

Since there is no information about needed apt-key in the Ubuntu ZFS wiki and since I'm pretty paranoid, I try both keys of package maintainer, Filip Brcic.

Code:
pub   1024D/162CE87F 2007-06-15
uid                  Filip Brcic <brcha@gna.org>
uid                  Filip Brcic <fbrcic@gmail.com>
uid                  Filip Brcic <brcha@laposte.net>
uid                  Filip Brcic <brcha@galeb.etf.bg.ac.yu>
uid                  Filip Brcic <brcha@users.sourceforge.net>
uid                  [jpeg image of size 4315]
sub   1024g/AC1A891A 2007-06-15


pub   1024R/48A22A95 2009-01-21
uid                  Launchpad PPA for Filip Brcic
But still get the same warning that the package can't be authenticated.

So, there is my question: how can I retrieve package gpg-key without actually apt-get installing it?

Yes, I know that I can go "https://launchpad.net/~brcha/+archive/ppa -> Technical details about this PPA -> Signing key", but there's actually one of the mentioned above keys that don't work. And I know that at first I need to properly import gpg signature, then run apt-get update and apt-get install. Just in case, I'll post my CLI output:

$ sudo apt-key list
Code:
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   1024D/162CE87F 2007-06-15
uid                  Filip Brcic <brcha@gna.org>
uid                  Filip Brcic <fbrcic@gmail.com>
uid                  Filip Brcic <brcha@laposte.net>
uid                  Filip Brcic <brcha@galeb.etf.bg.ac.yu>
uid                  Filip Brcic <brcha@users.sourceforge.net>
uid                  [jpeg image of size 4315]
sub   1024g/AC1A891A 2007-06-15

pub   1024R/48A22A95 2009-01-21
uid                  Launchpad PPA for Filip Brcic
Code:
xxxxx@xxxxx:~$ sudo apt-get update
Hit http://archive.canonical.com jaunty Release.gpg
Ign http://archive.canonical.com jaunty/partner Translation-en_US              
Hit http://ppa.launchpad.net jaunty Release.gpg                                
Ign http://ppa.launchpad.net jaunty/main Translation-en_US                     
Hit http://archive.canonical.com jaunty Release                                
Hit http://ppa.launchpad.net jaunty Release.gpg                                
Ign http://ppa.launchpad.net jaunty/main Translation-en_US  
Ign http://ppa.launchpad.net jaunty Release.gpg             
Ign http://ppa.launchpad.net jaunty/main Translation-en_US  
Hit http://ppa.launchpad.net jaunty Release                 
Hit http://ppa.launchpad.net jaunty Release                                    
Get:1 http://ppa.launchpad.net jaunty Release [31.1kB]                         
Hit http://archive.canonical.com jaunty/partner Packages                       
Hit http://ppa.launchpad.net jaunty/main Packages                              
Ign http://ppa.launchpad.net jaunty/main Packages           
Hit http://ppa.launchpad.net jaunty/main Packages           
Hit http://ppa.launchpad.net jaunty/main Sources            
Hit http://ppa.launchpad.net jaunty/main Packages           
Hit http://archive.ubuntu.com jaunty Release.gpg            
Ign http://archive.ubuntu.com jaunty/main Translation-en_US
Ign http://archive.ubuntu.com jaunty/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-updates Release.gpg
Ign http://archive.ubuntu.com jaunty-updates/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty-updates/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-security Release.gpg
Ign http://archive.ubuntu.com jaunty-security/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/universe Translation-en_US
Ign http://archive.ubuntu.com jaunty-security/multiverse Translation-en_US
Hit http://archive.ubuntu.com jaunty-backports Release.gpg
Ign http://archive.ubuntu.com jaunty-backports/restricted Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/main Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/multiverse Translation-en_US
Ign http://archive.ubuntu.com jaunty-backports/universe Translation-en_US
Hit http://archive.ubuntu.com jaunty Release
Hit http://archive.ubuntu.com jaunty-updates Release
Hit http://archive.ubuntu.com jaunty-security Release
Hit http://archive.ubuntu.com jaunty-backports Release
Hit http://archive.ubuntu.com jaunty/main Packages
Hit http://archive.ubuntu.com jaunty/restricted Packages
Hit http://archive.ubuntu.com jaunty/main Sources
Hit http://archive.ubuntu.com jaunty/restricted Sources
Hit http://archive.ubuntu.com jaunty/universe Packages
Hit http://archive.ubuntu.com jaunty/universe Sources
Hit http://archive.ubuntu.com jaunty/multiverse Packages
Hit http://archive.ubuntu.com jaunty/multiverse Sources
Hit http://archive.ubuntu.com jaunty-updates/main Packages
Hit http://archive.ubuntu.com jaunty-updates/restricted Packages
Hit http://archive.ubuntu.com jaunty-updates/main Sources
Hit http://archive.ubuntu.com jaunty-updates/restricted Sources
Hit http://archive.ubuntu.com jaunty-updates/universe Packages
Hit http://archive.ubuntu.com jaunty-updates/universe Sources
Hit http://archive.ubuntu.com jaunty-updates/multiverse Packages
Hit http://archive.ubuntu.com jaunty-updates/multiverse Sources
Hit http://archive.ubuntu.com jaunty-security/main Packages
Hit http://archive.ubuntu.com jaunty-security/restricted Packages
Hit http://archive.ubuntu.com jaunty-security/main Sources
Hit http://archive.ubuntu.com jaunty-security/restricted Sources
Hit http://archive.ubuntu.com jaunty-security/universe Packages
Hit http://archive.ubuntu.com jaunty-security/universe Sources
Hit http://archive.ubuntu.com jaunty-security/multiverse Packages
Hit http://archive.ubuntu.com jaunty-security/multiverse Sources
Hit http://archive.ubuntu.com jaunty-backports/restricted Packages
Hit http://archive.ubuntu.com jaunty-backports/main Packages
Hit http://archive.ubuntu.com jaunty-backports/multiverse Packages
Hit http://archive.ubuntu.com jaunty-backports/universe Packages
Fetched 1B in 1s (1B/s)  
Reading package lists... Done
   
xxxxx@xxxxx:~$ sudo apt-get install zfs-fuse 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libaio1
The following NEW packages will be installed:
  libaio1 zfs-fuse
0 upgraded, 2 newly installed, 0 to remove and 3 not upgraded.
Need to get 1518kB of archives.
After this operation, 4338kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  zfs-fuse
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 12-03-2009, 08:43 PM   #2
mikropolip
LQ Newbie
 
Registered: Dec 2009
Posts: 5

Original Poster
Rep: Reputation: 0
This is not an Ubuntu issue, this is an issue of Debian Apt security. I wonder, why moderators moved my thread here, in a forum for discussing Ubuntu Linux.

By the way, I've already described this problem on http://forums.ubuntu.com/, and no one was able to resolve it.

Thanks for the moderation policy, I guess that no one will resolve it here too...

Last edited by mikropolip; 12-03-2009 at 08:46 PM.
 
Old 12-03-2009, 09:12 PM   #3
spiderbatdad
Member
 
Registered: Nov 2009
Location: mote of dust suspended in a sunbeam
Distribution: Arch Linux / Ubuntu 10.10
Posts: 40

Rep: Reputation: 17
Before packages from a ppa can be authenticated the key has to be added. I did not see instructions for adding the key sig for the source you added. Did you add it? The latest method for addin ppa's from launchpad is of course. sudo add-apt-repository ppa:<name>
I doubt this helps with the paranoia issue. But you should see and get verification of the key and package being added to synaptic...and you havent actually installed anything yet...just added the package to your package manager.
 
Old 12-03-2009, 09:13 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mikropolip View Post
This is not an Ubuntu issue, this is an issue of Debian Apt security. I wonder, why moderators moved my thread here, in a forum for discussing Ubuntu Linux.

By the way, I've already described this problem on http://forums.ubuntu.com/, and no one was able to resolve it.

Thanks for the moderation policy, I guess that no one will resolve it here too...
mikropolip, I agree that this is security-related, but due to the Ubuntu-specific nature of the issue, I feel it belongs better here in Ubuntu, which is why I moved it. FWIW, I did leave a permanent redirect behind in Security, thereby granting your question even more exposure than it originally had.

Last edited by win32sux; 12-03-2009 at 09:14 PM.
 
2 members found this post helpful.
Old 12-04-2009, 05:39 AM   #5
mikropolip
LQ Newbie
 
Registered: Dec 2009
Posts: 5

Original Poster
Rep: Reputation: 0
win32sux, thank you!

spiderbatdad, yes, I have added the key of this ppa. I have posted my apt-key list, which outputs all the gpg signatures that were imported by apt.

Last edited by mikropolip; 12-04-2009 at 05:45 AM.
 
Old 12-04-2009, 08:18 AM   #6
spiderbatdad
Member
 
Registered: Nov 2009
Location: mote of dust suspended in a sunbeam
Distribution: Arch Linux / Ubuntu 10.10
Posts: 40

Rep: Reputation: 17
I'm sorry I totally missed the issue and meat of the posting.
How about checking the MD5sum of the package from apt-cache.
Code:
sudo apt-cache show zfs-fuse | sed -n "s/MD5sum: //p"
 
2 members found this post helpful.
Old 12-05-2009, 10:06 AM   #7
mikropolip
LQ Newbie
 
Registered: Dec 2009
Posts: 5

Original Poster
Rep: Reputation: 0
spiderbatdad, thank you for a suggestion, but, as far as I understand, md5sum is actually stored in a package itself, so it won't help me to determine whether it was compromised or not.
 
Old 12-06-2009, 10:04 AM   #8
spiderbatdad
Member
 
Registered: Nov 2009
Location: mote of dust suspended in a sunbeam
Distribution: Arch Linux / Ubuntu 10.10
Posts: 40

Rep: Reputation: 17
I can see that you are absolutely correct regarding the security issue when a package cannot be authenticated. The whole system falls apart. I thought it might be possible to find published md5sums for the package and compare, but this does not provide the same integrity as release gpg.
I did try adding the repo and importing the proper sig. 48A22A95, but I ended up with the same warning. Sorry I have no clue to your original question...an archive of origs would be nice, if they could be hosted by launchpad.
 
  


Reply

Tags
apt, apt-get, deb


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error installing aodv 0.9.5 with deb package autodimay Linux - Wireless Networking 1 04-17-2011 02:20 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 10:37 AM
Installing a deb Package in FluxBuntu IndyGunFreak Ubuntu 3 05-07-2007 09:15 AM
RMP-GPG-KEY Problems Installing With Yum zoidb3rg Fedora 3 05-02-2007 06:45 AM
Installing DEB package offline CircuitSix Linux - Software 1 05-02-2005 08:18 PM


All times are GMT -5. The time now is 04:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration