key import with apt-add-repository and own repository possible?

apt repository gnupg reprepro
5,505

Solution 1

Both apt-add-repository and add-apt-repository have a -k option you can use to specify your own public keyring repository. apt-key can add the fingerprint of the key you control and trust. Of course you can simply add a public key to the keyserver.ubuntu.com or other keyserver rather than using your own keyserver, but apt still must be told they key fingerprints. See Saji89's helpful answer about apt-key at https://askubuntu.com/a/217529/63886 (and vote it up if it proves useful to you).

You can also use medibuntu's approach as automation if many computers are involved. Here's how medibuntu.org does it:

sudo -E wget --output-document=/etc/apt/sources.list.d/medibuntu.list  http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list && sudo apt-get --quiet update && sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring && sudo apt-get --quiet update `

That is followed up by installing a couple more packages once the repo has been added.

As explanation:

sudo -E wget --output-document=/etc/apt/sources.list.d/medibuntu.list http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list`

adds the repo itself to your configuration.

sudo apt-get --quiet update

Updates the apt-get information from the new (and all other repos).

sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring

Installs the public key for the repository. The --allow-unauthenticated is how you avoid the chicken and egg problem.

sudo apt-get --quiet update

Updates apt again.

Then application data and debugging hooks packages are added for their applications.

You can browse their repo http://packages.medibuntu.org/ to see how their packages do the job.

Solution 2

If you are asking about whether add-apt-repository will work with your own repo that you host yourself rather than on Launchpad, the answer is "No", and with good reason.

The add-apt-repository tool provides a cryptographically strong trust relationship to valid Launchpad PPAs. What it can't guarantee is that you should trust the Launchpad users who have upload access to a given PPA, but it still provides a good audit trail and a guarantee that packages at least come from the claimed PPA.

If what you were asking for was possible, it would have no trust guarantee at all and would be more or less equivalent to Windows users downloading random things from random websites at random moments in time.

Is there a good reason why you need to use your own repo, why you can't use a PPA?

Share:
5,505

Related videos on Youtube

brejoc
Author by

brejoc

Updated on September 18, 2022

Comments

  • brejoc
    brejoc over 1 year

    Is it possible to use the public-gpg-key import feature of apt-add-repository with my own reprepro repository? Is there e.g. something like a default key server where apt-add-repository expects to find the keys or a path within the (http) repository where it will look for it?

  • brejoc
    brejoc over 10 years
    Okay, then add-apt-repository should be renamed to add-ppa-repository. You are right, you have to trust the developer or maintainer to not break your system or sneak in bad stuff. But that is the same for PPAs and own repositories. In that regard there is nothing special about PPAs. If you are adding 3rd party repositories to your system you should trust them or you shouldn't add the repository. We are using our own repositories for proprietary customer software and deployment of modified packages within closed networks. Nothing that would fit PPA.
  • brejoc
    brejoc over 10 years
    Thanks for this very detailed answer, John! I have indeed published the public key to keyserver.ubuntu.com and thought apt-add-repository would fetch the key from there. But this seems to fail. I don't know why, because even with -m the output is not very detailed. At the moment I am just deploying a deb-package, that includes the key. In the post install script of the package the repository gets added and the key is imported. Could be worse, but having a one-liner would be nicer. Especially since apt-add-repository seemed to offer that capability.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I add repo gpg keys as apt-key is deprecated?
What are the GPG signatures
How can I remove gpg key that I added using apt-key add -?
How to trust a apt repository : Debian apt-get update error public key is not available: NO_PUBKEY <id>
Not able to install Mongodb in Ubuntu 22.04
Debian apt error: "The following signatures were invalid: NODATA 1 NODATA 2"
Can't add repository due to 'missing' fingerprint
Can't connect to some (not all) repository servers
gpg: WARNING: unsafe ownership on homedir '/home/user/.gnupg'
How to add the canonical repository in ubuntu 16.04 ?