Re: backports

To: debian-user@lists.debian.org
Subject: Re: backports
From: Chris Lale <chrislale@untrammelled.co.uk>
Date: Wed, 27 Jun 2007 17:27:15 +0100
Message-id: <[🔎] 46828FE3.2030807@untrammelled.co.uk>
In-reply-to: <[🔎] 20070624101026.GA4439@localhost>
References: <[🔎] 921460.65725.qm@web58904.mail.re1.yahoo.com> <[🔎] 467CE0D9.2080905@untrammelled.co.uk> <[🔎] 20070623160324.GA14166@dementia.proulx.com> <[🔎] 467D4A23.1080002@untrammelled.co.uk> <[🔎] 20070623230745.GA4063@localhost> <[🔎] 467E231D.2050406@untrammelled.co.uk> <[🔎] 20070624101026.GA4439@localhost>

Florian Kulzer wrote:
> On Sun, Jun 24, 2007 at 08:54:05 +0100, Chris Lale wrote:
>> Florian Kulzer wrote:
>> [...]
>>> An even better approach would be to download the Backports.org Archive
>>> Key manually and to check the signature before adding the new key to
>>> apt's keyring. (Installing the debian-backports-keyring package directly
>>> means that an unverified post-installation script has root on your
>>> computer, therefore you cannot really trust anything after that,
>>> including the keys on the Debian keyring.)
>>>
>>> P.S. The same goes for the debian-multimedia-keyring package.
>>>
>> Yes, Florian, you must be right! I wonder why they offer the keyring package?
> 
> The keyring package allows automatic installation of new signing keys,
> just like debian-archive-keyring for the normal Debian pool. This is
> safe - or at least as "safe" as your basic trust in Debian is - provided
> that you perform the initial check. From the on, each new key can be
> verified (automatically) with the old key during a transition period and
> the chain of trust remains intact. (I don't know how often they will
> issue a new key for the backports archive, though; the normal Debian
> archive keys get updated at least once a year.)
> 
>> The instructions page does give instructions about how to install the key -
>> and no mention of the debian-backports-keyring package:
>>
>> 	... you can import backports.org archive’s key into apt:
>>
>> 	gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
>> 	gpg --export | apt-key add -
>>
>> 	or
>>
>> 	wget -O - http://backports.org/debian/archive.key | apt-key add -
>>
>> No mention of how to check it though. Can you check the sig before installing
>> the key?
> 
> Yes, you can: Just run the "gpg ... --recv-keys ..." command as your
> normal user and the new key will be added (as untrusted) to your normal
> user's public keyring. Then you can perform the check:
> 
> $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 16BA136C
> 
> and make sure that Joerg Jaspert's signature (key 7E7B8AC9) is valid.
> After that you can feed the key to apt
> 
> $ gpg -a --export 16BA136C | sudo apt-key add -
> 
> and you are all set. If you do not want to use sudo then you can export
> the key to a file before you become root:
> 
> $ gpg -a --export 16BA136C > backports-archive-key.txt
> # apt-key add backports-archive-key.txt
> 
> If you have problems with the keyserver then you can use the wget
> command to add the key to your public keyring:
> 
> $ wget -O - http://backports.org/debian/archive.key | gpg --import -
> 
> Then you can perform the same check before you tell apt to trust the
> key. I would avoid running anything as root except for the apt-key
> command.
> 

How to you check the output of "gpg --check-sigs"? I Googled a bit and it seems
that an exclamation mark ("!") indicates a successful check. Is that true?
eg
$ gpg --check-sigs --keyring /usr/share/keyrings/debian-backports-keyring.gpg

/usr/share/keyrings/debian-backports-keyring.gpg
------------------------------------------------
pub   1024D/16BA136C 2005-08-21
uid                  Backports.org Archive Key <ftp-master@backports.org>
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
<ftp-master@backports.org>
sig!3        16BA136C 2005-08-21  Backports.org Archive Key
<ftp-master@backports.org>
sub   2048g/5B82CECE 2005-08-21
sig!         16BA136C 2005-08-21  Backports.org Archive Key
<ftp-master@backports.org>


I wanted to find a generic method of importing and checking keys for a number of
unofficial deb sites. It is difficult to find the key ids on some of the
websites. One thing they all had in common was having a keyring package. I tried
backports.org, debian-multimedia.org and debian-unofficial.org. So, here is my
generic method:

1. Add the appropriate line to /etc/apt/sources.list.

2. Update with apt-get or aptitude.

3. Install the appropriate keyring package (eg debian-multimedia-keyring). The
keyrings all end up in /etc/share/keyrings/${package-name}.gpg

4. Check the signatures IMMEDIATELY eg
$ gpg --check-sigs --keyring /usr/share/keyrings/debian-multimedia-keyring.gpg

5. If the check fails,

a.purge the keyring package and check that the keyring subdirectory has been
removed from /etc/share/keyrings/.

b. You can still install packages from the suspect repository, but there will be
a warning. To be safe, remove the repository line from /etc/apt/sources.list.

-- 
Chris.

Reply to:

Follow-Ups:
- Re: backports
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>

References:
- backports
  - From: Francesco Pietra <chiendarret@yahoo.com>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: bob@proulx.com (Bob Proulx)
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>
- Re: backports
  - From: Chris Lale <chrislale@untrammelled.co.uk>
- Re: backports
  - From: Florian Kulzer <florian.kulzer+debian@icfo.es>

Prev by Date: Re: NTFS-3G Under 4.0
Next by Date: The Perfect Linux gaming Box
Previous by thread: Re: backports
Next by thread: Re: backports
Index(es):
- Date
- Thread