Single file version available here.
Last updated on 2008-06-17.
To discuss, comment here.
| Prev | Next | |
| Home |
Newsgroups: gmane.linux.debian.user Date: 2006-12-12
http://thread.gmane.org/gmane.linux.debian.user/266256
I got the following message from "aptitude dist-upgrade" all of a sudden:
> > It could be caused by a number of things. Try running apt-get update. > > That did fix the problem yesterday! Dist-upgrade went through > without any error. > > I did "aptitude update; aptitude dist-upgrade" when I got the error > (quoted in the subject of this message). Does that mean that > "aptitude update" is different from "apt-get update" or > that something has changed between the time I got the error > and yesterday?
AFAIK you get the untrusted sources for packages that were installed from repositories that are not official (for packages that weren't built by official debian maintainers).
Check if you have non-official repositories in your /etc/apt/sources.list
What could have changed is that the package first appeared in unofficial repositories and then propagated to the official ones, or that there was something wrong done with the specific package and it was fixed.
> Anyway, thank you for your help and pointer to the secure-apt > documentation. > > > For docs, see http://wiki.debian.org/SecureApt[]
Micha Feigin
http://wiki.debian.org/SecureApt
Secure apt always downloads Release.gpg files when it's downloading Release files, and if it cannot download the Release.gpg, or if the signature is bad, it will complain, and will make note that the Packages files that the Release file points to, and all the packages listed therein, are from an untrusted source. Here's how it looks during an apt-get update:
W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
If you ignore that warning and try to install a package later, apt will warn again:
WARNING: The following packages cannot be authenticated! libglib-perl libgtk2-perl Install these packages without verification [y/N]?
The debian-archive-keyring package is used to distribute keys to apt. Upgrades to this package can add (or remove) gpg keys for the main Debian archive.
For other archives, there is not yet a standard location where you can find the key for a given apt repository. . . . so you might have to hunt for it.
gpg itself has a standard way to distribute keys, using a keyserver that gpg can download a key from and add it to its keyring. For example:
$ gpg --keyserver pgpkeys.mit.edu --recv-key 010908312D230C5F gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu gpg: key 2D230C5F: "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Note that the second half of the long number is the key id of the key that apt doesn't know about, in this case that's 2D230C5F.
You can then export that key from your own keyring and feed it to apt-key:
$ gpg -a —export 2D230C5F | sudo apt-key add - OK
documented on: 2007-08-25
| Prev | Next | |
| Home |