Dotdeb packages are now signed!
July 11th, 2010 | by Guillaume Plessis |After many requests from several users and after many months of promise, the Dotdeb repositories are GPG-signed. Yes, you can now get rid of the annoying “WARNING: The following packages cannot be authenticated!” message!
Waiting for a dotdeb-keyring package, you just have to get the key and add it to your trusted keys’ keyring :
gpg --keyserver keys.gnupg.net --recv-key 89DF5277 gpg -a --export 89DF5277 | sudo apt-key add -
I hope you’ll enjoy it.
57 Responses to “Dotdeb packages are now signed!”
By acid on Jul 11, 2010 | Reply
I love you! Seriously, thanx for your work!!
By daniel on Jul 11, 2010 | Reply
gorgeous
By danei on Jul 12, 2010 | Reply
Yes I enjoy that
By amine on Jul 12, 2010 | Reply
nice
By amine on Jul 12, 2010 | Reply
Hi have a problem,
i added in the /etc/apt/sources.list
deb http://packages.dotdeb.org stable all
deb-src http://packages.dotdeb.org stable all
when i do apt-get update i have this error :
W: GPG error: http://packages.dotdeb.org stable Release: Les signatures suivantes n’ont pas pu être vérifiées car la clé publique n’est pas disponible : NO_PUBKEY E9C74FEEA2098A6E
any idea please ?
By Guillaume Plessis on Jul 12, 2010 | Reply
@amine : just fetch the GnuPG key and add it to your APT keyring, as explained in the above post.
By gosi on Jul 12, 2010 | Reply
Thanks for all your effort!
By Jockl on Jul 12, 2010 | Reply
Thank you! Everything worked fine…as always!
By waiter on Jul 13, 2010 | Reply
Cool! Thanks a lot!
By Tyrael on Jul 13, 2010 | Reply
thank you!
Tyrael
By The BLION Corp. on Jul 14, 2010 | Reply
Hello,
Great. With these signatures, I (or even my customers) can now upgrade directly from Virtualmin panel.
By Pandark on Jul 14, 2010 | Reply
Thank you very much.
If it doesn’t work first, you may have to open the 11371 port as I did.
By H.T on Jul 16, 2010 | Reply
Bonjour,
Merci pour la signature des paquets.
Pour chipoter est il vraiment nécessaire d’inscrire “sudo” avant le apt-key add ?
Pour ceux qui utilisent la puissance de root sans autre forme de procès ça peut être perturbant
By Joshaven Potter on Jul 16, 2010 | Reply
I got the following error:
W: GPG error: http://php53.dotdeb.org stable Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY E9C74FEEA2098A6E
W: You may want to run apt-get update to correct these problems
After trying the above I got:
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error
and fixed everything with:
wget http://packages.dotdeb.org/dotdeb.gpg && apt-key add dotdeb.gpg && rm dotdeb.gpg
By Guillaume Plessis on Jul 17, 2010 | Reply
@H.T. : à chacun d’adopter la politique de sécurité qui lui sied
By Scott Grayban on Jul 19, 2010 | Reply
oh hell ya !!!
By Njko on Jul 19, 2010 | Reply
Great news!
honestly i tought lets go to see dotdeb if the packages are now signed.. and first message I see was this one.
Thanks a lot man!
By Vide on Jul 22, 2010 | Reply
Thanks!
By Adub on Jul 23, 2010 | Reply
@Joshaven Potter
Thank you so much! Your solution worked wonders for me.
By JarekMk on Jul 24, 2010 | Reply
Guillaume, did you checked mailbox?
By Guillaume Plessis on Jul 24, 2010 | Reply
@JarekMk : I’ll answer soon
By JarekMk on Jul 25, 2010 | Reply
OK I wait. Thank you.
By petr on Jul 27, 2010 | Reply
hello, file on http://packages.dotdeb.org/dotdeb.gpg is not found?
. this file is for download on another location? help.pls.
By Guillaume Plessis on Jul 27, 2010 | Reply
@petr : it’s back. Sorry. You could use keys.gnupg.net to receive the key instead.
By petr on Jul 27, 2010 | Reply
@Guillaume Plessis
thx , all ok new
By kepi on Aug 13, 2010 | Reply
Finally, thanks!
By vixns on Aug 20, 2010 | Reply
http://packages.dotdeb.org/dotdeb.gpg => 404
By Guillaume Plessis on Aug 20, 2010 | Reply
@vixns : Please use keys.gnupg.net tu get the key.
By Speckles on Aug 30, 2010 | Reply
Note: if your system doesn’t have the gpg command, the package to get it is called gnupg. Since it took me several hours to figure this out, I figured I should post this here to save any fellow newbs some time.
By karfes on Sep 1, 2010 | Reply
am new with this keyring issue, how do you fetch for the GnuPG key? i need some guide
By Burn on Sep 3, 2010 | Reply
> gpg –keyserver keys.gnupg.net –recv-key 89DF5277
gpg: requesting key 89DF5277 from hkp server keys.gnupg.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error
> wget http://packages.dotdeb.org/dotdeb.gpg && apt-key add dotdeb.gpg && rm dotdeb.gpg
–2010-09-03 04:43:17– http://packages.dotdeb.org/dotdeb.gpg
Resolving packages.dotdeb.org… 79.125.3.21
Connecting to packages.dotdeb.org|79.125.3.21|:80… connected.
HTTP request sent, awaiting response… 404 Not Found
2010-09-03 04:43:17 ERROR 404: Not Found.
By Mentalow on Sep 5, 2010 | Reply
Hey
The key isnt found with your guide! The key doesnt exist in the database
By Scott Grayban on Sep 6, 2010 | Reply
Wow people really do not read anything these days.
The error was “keyserver timed out” doh !! So for the newbies with no education that means the keyserver is having a issue not “key not found”.
Second read http://www.dotdeb.org/2010/07/11/dotdeb-packages-are-now-signed/#comment-2556
Start reading instead of being spoon fed here.
By Burn on Sep 6, 2010 | Reply
after disabling the firewall, I got the key successufly
By tim on Sep 7, 2010 | Reply
sweet
By kirk1h on Sep 17, 2010 | Reply
i have no idea why the key is not on this server nor on keys.gnupg.net anymore. if anyone need the key, you can download it from my server:
wget http://88.198.62.123/randomstuff/dotdeb.gpg
sudo apt-key add dotdeb.gpg
By Guillaume Plessis on Sep 17, 2010 | Reply
Here it is : http://www.dotdeb.org/dotdeb.gpg
By Scott Grayban on Sep 26, 2010 | Reply
Gui are you going to make a signing package people can install instead ?
I think that would be best if not having the key imported automatically when they update there apt.
I think all you have to do is create Release.gpg with your pubkey in it.
By Scott Grayban on Sep 26, 2010 | Reply
Setting up a secure apt repository
From man apt-secure
If you want to provide archive signatures in an archive under your maintenance you have to:
* Create a toplevel Release file. if it does not exist already. You can do this by running apt-ftparchive release (provided inftp apt-utils).
* Sign it. You can do this by running gpg -abs -o Release.gpg Release.
* Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.
Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.
By Guillaume Plessis on Sep 27, 2010 | Reply
@Scott Grayban : the repository is signed using the two steps you described. I just have to make a dotdeb-keyring package but I need some more work on it.
By Toxic292 on Sep 30, 2010 | Reply
Ports used with command “gpg –keyserver [...]” are the followings :
hkp 11371/tcp # OpenPGP HTTP Keyserver
hkp 11371/udp # OpenPGP HTTP Keyserver
For the lucky ones that can configure there firewall…
By flo on Nov 25, 2010 | Reply
Just use this:
wget http://www.dotdeb.org/dotdeb.gpg && apt-key add dotdeb.gpg && rm dotdeb.gpg
By JP on Jan 3, 2011 | Reply
This took me a little while to figure out, so this is what worked for me:
wget -q -O – http://www.dotdeb.org/dotdeb.gpg | sudo apt-key add -
By Scott on Jan 3, 2011 | Reply
There are a number of ways to import the key.
By neissa on Jan 18, 2011 | Reply
Open port out tpc 11371
for gpg
By Scott on Jan 18, 2011 | Reply
Port 11371 has nothing to do with gpg package signing.
By Paulo Graça on Nov 3, 2011 | Reply
For me it worked the following:
> wget -q -O – http://www.dotdeb.org/dotdeb.gpg
> sudo apt-key add dotdeb.gpg