Secure Apt
posted by Terence @ 5:16 AM on Friday, March 09, 2007

The following post is really only for my reference -- so that I remember what the story is the next time I have this issue. But I'll include some backstory in case anyone else is curios as to what I am talking about.

In Linux, one easy way to install new software is to download a package -- which is a bundle that is in a standard format, which can put the files in the appropriate places, put shortcuts where you would expect them to go, etc. It's similar to downloading an .exe for Windows machines. One advantage to the whole package management thing is that all of the packages can generally be found at one (or a small number) of package mirrors. If you wanted a program that could organize your pictures and automatically upload them to Flickr [flickr.com], you could just go and search for all of the packages that are available, and then install the one you want. Your package manager will the install any library files or anything else that your new software is dependent on.

Another advantage is that when you want to look for updates for your software to fix bugs or security holes, you can update everything at once with the same system and very few commands. You would just have your package manager compare the versions of the software you have now with the versions of the software that reside on the package mirrors, and download the ones that are newer than the ones you already have.

Recently, when updating the package list in my installation of Debian Etch (testing) [debian.org], I have been receiving errors about not being able to verify the signatures of some of the packages I have wanted to update.
# apt-get update
W: GPG error: http://security.debian.org etch/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A70DAF536070D3A1
Here is how to manually add the appropriate key to the Advanced Packaging Tool's (apt's) list of verified keys... First retrieve the appropriate key from a keyserver (the key ID is listed in the error) and add it to your own keyring:
$ gpg --keyserver pgpkeys.mit.edu --recv-key A70DAF536070D3A1
I'm not a sudoer on my own machine, so transferring the key between keyrings ends up being a two part process. First, export the key from my keyring into an armored ASCII file:
$ gpg -a --export A70DAF536070D3A1 > A70DAF536070D3A1.asc
Then log in as a root user, and add the key to apt's list.
# apt-key add A70DAF536070D3A1.asc

Labels: