0

I've inherited an Ubuntu 18.04 server which has had some custom repositories and keys added to it in the past. I'd like to ensure all keys are still in use, and see which packages each of them are validating. Is there a way to do this?

I can list all keys by using apt-key list and looking in /etc/apt/trusted.gpg[.d], but how can I compare them to repositories and packages?

Steve H
  • 53
  • 3

1 Answers1

2

The validation is provided by signing the MD5 sums of the packages listed in the Release file of the APT source. Download the Release.gpg from each source and check which keys are used for signing them. This way you'll get a list of the packages signed with the key – not the other way around.

E.g. deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

  1. has its Release file signed in Release.gpg
  2. gpg -vv Release.gpg gives keyid 3B4FE6ACC0B21F32

  3. Compare the key ID with the ones on your apt-key list:

    /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129