everyone! I have debian device and I want it to upgrarde automatically from my repository. To do that I just call apt-get from cron: apt-get --assume-yes --force-yes install mypackage But in this case it will install the package event if it can't check the signature. How do i check the signature before installing it?
Asked
Active
Viewed 1,516 times
1 Answers
4
There are two types of GPG signatures:
- GPG signatures on the APT repository metadata, and
- GPG signatures on Debian packages.
In order to verify the APT repository metadata, you need to import the public GPG key of the signer with something like this:
sudo bash -c 'wget -O - https://url/key' | apt-key add -
In order to verify Debian package signatures it is much more complicated and most package providers (like Ubuntu and Debian) don't sign packages. Most likely, the package you are trying to install is not signed.
However, if the package is signed and you'd like to verify it, you'll need to:
- Ensure you have
debsig-verifyinstalled. - Create an XML policy document for verifying package signatures.
- Modify
/etc/dpkg/dpkg.cfgto enable package signature verification. CAUTION You should ensure that enabling this option does not break package installation of unsigned packages (like the ones provided by Ubuntu and Debian). - Package signatures will be verified when installed with
apt-get.
Check out this blog post I wrote called GPG sign and verify deb packages and APT repositories which explains everything you need to know about verifying debian packages and APT repositories and includes some example configurations for debsig-verify.
Joe Damato
- 1,558
- 14
- 15