apt-key gpg key import on Ubuntu and Debian

Should you need to download packages from a unofficial repository, you need not disable gpg signature verification. Instead, you can import the key used to sign the packages into your local keyring.

Of course, you may not know what key to fetch. That’s probably okay, as if the public portion of key is not explicitly divulged, it is probably in a key repository. If you can find the email address of the repository owner, that’s probably the piece of information you need to retrieve the key.

$ gpg --keyserver subkeys.pgp.net --search-keys jasonb@edseek.com
pg: searching for "jasonb@edseek.com" from hkp server subkeys.pgp.net
(1)     Jason Boxman 
          1024 bit DSA key 4BD9A338, created: 2002-12-06

Next, select the key that seems most appropriate. There may only be one, or one may mention repository signing key or something similar. When in doubt you can fetch all the keys. Next we must armor export the key.

$ gpg -a --output /tmp/pub.asc --export 4BD9A338

Finally, let us tell apt about the key.

$ sudo apt-key add /tmp/pub.asc && rm /tmp/pub.asc

Only perform the above action if you really trust the key. (And I do mean the key, as it ultimately is what is granted trust, not whoever purports to be its owner.)

# apt-get update

And you are on your way again!

This entry was written by jasonb, posted on 3/17/2007 at 1:15 am, filed under Quick Guides. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never shared. Required fields are marked *

*
*