Categories
Miscellaneous

Dotdeb packages are now signed!

After many requests from several users and after many months of promise, the Dotdeb repositories are GPG-signed. Yes, you can now get rid of the annoying “WARNING: The following packages cannot be authenticated!” message!

Waiting for a dotdeb-keyring package, you just have to get the key and add it to your trusted keys’ keyring :

gpg --keyserver keys.gnupg.net --recv-key 89DF5277
gpg -a --export 89DF5277 | sudo apt-key add -

I hope you’ll enjoy it.

66 replies on “Dotdeb packages are now signed!”

Bonjour,

Merci pour la signature des paquets.
Pour chipoter est il vraiment nécessaire d’inscrire “sudo” avant le apt-key add ?

Pour ceux qui utilisent la puissance de root sans autre forme de procès ça peut être perturbant 😉

I got the following error:
W: GPG error: http://php53.dotdeb.org stable Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY E9C74FEEA2098A6E
W: You may want to run apt-get update to correct these problems

After trying the above I got:
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

and fixed everything with:
wget http://packages.dotdeb.org/dotdeb.gpg && apt-key add dotdeb.gpg && rm dotdeb.gpg

Great news!

honestly i tought lets go to see dotdeb if the packages are now signed.. and first message I see was this one.

Thanks a lot man!

Note: if your system doesn’t have the gpg command, the package to get it is called gnupg. Since it took me several hours to figure this out, I figured I should post this here to save any fellow newbs some time.

> gpg –keyserver keys.gnupg.net –recv-key 89DF5277
gpg: requesting key 89DF5277 from hkp server keys.gnupg.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error
> wget http://packages.dotdeb.org/dotdeb.gpg && apt-key add dotdeb.gpg && rm dotdeb.gpg
–2010-09-03 04:43:17– http://packages.dotdeb.org/dotdeb.gpg
Resolving packages.dotdeb.org… 79.125.3.21
Connecting to packages.dotdeb.org|79.125.3.21|:80… connected.
HTTP request sent, awaiting response… 404 Not Found
2010-09-03 04:43:17 ERROR 404: Not Found.

Gui are you going to make a signing package people can install instead ?

I think that would be best if not having the key imported automatically when they update there apt.

I think all you have to do is create Release.gpg with your pubkey in it.

Setting up a secure apt repository

From man apt-secure

If you want to provide archive signatures in an archive under your maintenance you have to:

* Create a toplevel Release file. if it does not exist already. You can do this by running apt-ftparchive release (provided inftp apt-utils).
* Sign it. You can do this by running gpg -abs -o Release.gpg Release.
* Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.

Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.

Ports used with command “gpg –keyserver […]” are the followings :

hkp 11371/tcp # OpenPGP HTTP Keyserver
hkp 11371/udp # OpenPGP HTTP Keyserver

For the lucky ones that can configure there firewall…

I think I am ready to go here, but when I attempt to install php55 or any version of php I get the following msg:
“E: Unable to locate package php55”

I cant believe that people can be so lazy as to not read the whole post describing how to add your signed key into apt.

Comments are closed.