What are the GPG signatures
What is GPG?
GPG, or GNU Privacy Guard, is a suite of cryptographic software. It can be used to encrypt or sign data and communications to ensure its authenticity.
This type of cryptography is based on key pairs. A public key is hosted on a key server (e.g. keyserver.ubuntu.com) and the private key is kept secret. Using the public key, one can verify the signature made by a private key. Likewise, knowing someone's public key will allow you to encrypt a message that can only be read by the holder of the corresponding secret key.
Further Reading: GnuPG for Daily Use (a Mini How-To...)
What's this have to do with me?
In this context, the apt repository that you are downloading a package from should be signed by a secret key so that you can verify that the packages you are installing come from where they say they are.
The actual file in the repository that is signed is the Release
file. This file contains the checksums of a number other files in the repository. For instance, here is the file for official Ubuntu 12.10 repository and its corresponding GPG signature. When you install a package, apt
verifies the signature.
Further Reading: All about secure apt
Common Issues
The public key for the official Ubuntu archive is already know by your computer, but if you want to add a PPA or third-party repository you must import their key. If you try to update a repository whose key you don't have, you'll see warnings like:
W: GPG error: http://ppa.launchpad.net oneiric Release: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY B725097B3ACC3965
When you install a package from that repository, you will also receive a warning:
WARNING: The following packages cannot be authenticated!
dropbox
Install these packages without verification [y/N]?
While these warnings can be silenced by running apt
with the --allow-unauthenticated
flag, but it is better to add the key to your system so that you can take advantage of the added security.
When adding a PPA you should use the add-apt-repository
tool as this will automatically handle adding the key for you. If you need to add the key manually, use the following command:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY_ID_HERE
If you'd rather do this with out using the terminal, consult this answer.
Related videos on Youtube
![Luis Alvarado](https://i.stack.imgur.com/HtZ3d.png?s=256&g=1)
Luis Alvarado
System Engineer Social Engineer Master in Pedagogy Master in Open Source CCNA Certified Linux Foundation Certified Former Askubuntu Moderator Stack Careers | Linkedin | Launchpad | Ubuntu Wiki - Random SE Stuff - Latin American Members | JC Race Award | Human Robot Award 74
Updated on September 18, 2022Comments
-
Luis Alvarado almost 2 years
Looking at questions like THIS, THIS and THIS I ask for public knowledge the following questions:
What are the GPG Signatures for?
What additional level of security do the Signatures add or provide to users?
What are some of the common problems associated with GPG Signatures with PPAs in Launchpad and why are they produced?