Looking at questions like THIS, THIS and THIS I ask for public knowledge the following questions:
What are the GPG Signatures for?
What additional level of security do the Signatures add or provide to users?
What are some of the common problems associated with GPG Signatures with PPAs in Launchpad and why are they produced?
GPG, or GNU Privacy Guard, is a suite of cryptographic software. It can be used to encrypt or sign data and communications to ensure its authenticity.
This type of cryptography is based on key pairs. A public key is hosted on a key server (e.g. keyserver.ubuntu.com) and the private key is kept secret. Using the public key, one can verify the signature made by a private key. Likewise, knowing someone's public key will allow you to encrypt a message that can only be read by the holder of the corresponding secret key.
Further Reading: GnuPG for Daily Use (a Mini How-To...)
In this context, the apt repository that you are downloading a package from should be signed by a secret key so that you can verify that the packages you are installing come from where they say they are.
The actual file in the repository that is signed is the Release file. This file contains the checksums of a number other files in the repository. For instance, here is the file for official Ubuntu 12.10 repository and its corresponding GPG signature. When you install a package, apt verifies the signature.
Further Reading: All about secure apt
The public key for the official Ubuntu archive is already know by your computer, but if you want to add a PPA or third-party repository you must import their key. If you try to update a repository whose key you don't have, you'll see warnings like:
W: GPG error: http://ppa.launchpad.net oneiric Release: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY B725097B3ACC3965
When you install a package from that repository, you will also receive a warning:
WARNING: The following packages cannot be authenticated!
dropbox
Install these packages without verification [y/N]?
While these warnings can be silenced by running apt with the --allow-unauthenticated flag, but it is better to add the key to your system so that you can take advantage of the added security.
When adding a PPA you should use the add-apt-repository tool as this will automatically handle adding the key for you. If you need to add the key manually, use the following command:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY_ID_HERE
If you'd rather do this with out using the terminal, consult this answer.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments