How can I avoid GPG errors with apt 0.6 and above?

Since version 0.6 apt is checking for
packages signatures. If signatures are not known to apt errors like in the following example are produced.

W: GPG error: http://debian.hinterhof.net unstable/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0E41455F530F04D
W: GPG error: http://kempele.fi ./ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76755C2ABD7736A8
W: GPG error: http://www.tux.org sid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB5E459A529B8BDA
W: GPG error: ftp://ftp.nerim.net sarge Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: GPG error: ftp://ftp.nerim.net etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: GPG error: ftp://ftp.nerim.net sid Release: The
following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907

The signatures are included in the Release files, as the error message suggests. So if the public key is not known to GPG the above error messages are produced.

Getting everything right with signatures and apt seems to be still confusing to a lot of people including me. This article and the comments to it at Debian Administration gives an overview but also proofs that there is still need for more detail. Especially the connection between the package debian-keyring and apt and how the keys should enter /etc/apt/trusted.gpg are still quite unclear to me. Furthermore, at the time of writing this apt-key still seems to have some consitnecy bugs as described here. I believe there is still some development going on.

However, here’s how I got GPG quiet again. It’s basicly finding the keys on a keyserver or in a file provided by the keyholder, importing them into GPG and then exporting and piping them into apt-key. It should work with the keys after the NO_PUBKEY warning.

A good example is the repository at http://debian.hinterhof.net. Max Vozeler, the repository maintainer says:

I sign both repositories using key 1024D/F530F04D Automatic Signing Key (debian.hinterhof.net) (asc) which is signed with my Debian key 1024D/B7CDA2DC Max Vozeler (asc).

You can get the key by either asking a keyserver

#gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys F530F04D

or getting the file containing the key

#wget http://hinterhof.net/debian/archive-2005.asc
#gpg --import archive-2005.asc

Now you need to get the key into /etc/apt/trusted.
gpg
by using

#gpg --armor --export F530F04D | apt-key add -

Now GPG should not be complaining about this repository again.

Actions for the other repositorys are the same. Christian Marillat has some comments about his keys here. Some more comments on package signing are in the Securing Debian Manual.

6 Gedanken zu „How can I avoid GPG errors with apt 0.6 and above?

  1. Pingback: Der Wartburgritter und sein Weblog » Blog Archive » apt-get und public key problem

  2. Pingback: Olf’s Meaning of Life » Fehlende APT Keys holen

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.