~# apt-get update
... http://ftp.debian-ports.org ... NO_PUBKEY found ...
Basically each package in the repository is signed using GPG. When apt tries to use the repository, it must have the public GPG key on hand to authenticate it. The list of repositories apt uses can be found in /etc/apt/sources.list. I read that apt could ignore this, but didn't seem like a good practice to start.
To read up on how this authentication works, I browsed a well-written article "Securing Debian Manual", which explained how Debian handled this [1]. It mentioned how to add the key, but also said that finding the public key for a given site wasn't exactly uniform across repositories. After digging around in http://ftp.debian-ports.org for a while, I went to the IRC channel and just asked. I got a response instantly. He/she posted a link to http://www.debian-ports.org/archive, which I wouldn't have found for a quite a while. It gave me two commands to download and add the key.
~# gpg --keyserver hkp://subkeys.pgp.net --recv-keys 43229C06
... (a bit of text)
~# gpg --export 43229C06 | apt-key add -
... (a bit of text)
I wasn't sure if it worked or not since I am inexperienced in doing this. I saw the phrase "gpg: no ultimately trusted keys found", which I thought my be an error. I googled the error, and was learned that by default, gpg is setup to not ultimately trust any keys and in this case it didn't matter. I'm still not sure what the rigorous definition of "ultimately trust" is, but I took their word [2].
After running apt-get update, apt updated with no mention of NO_PUBKEY, so I guess it worked.
No comments:
Post a Comment