What is a repository key under Ubuntu and how do they work?

repository

Solution 1:

I found a nice explanation from Ubuntu Community Help Wiki.

  • What are Repositories?

"Authentication keys" are usually obtained from the maintainer of the software repository. The maintainer will often place a copy of the authentication key on a public key server such as www.keyserver.net. The key can then be retrieved using the command.

Apt Authentication

Apt-get package management uses public key cryptography to authenticate downloaded packages.

  • Debian does an excellent job of explaining Secure apt on this wiki page.

What follows is a short summary of the key acquisition and verification process gleaned from Debian's wiki page.

Basic Concepts Public key cryptography is based on pairs of keys, a public key and a private key. The public key is given out to the world; the private key must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It's also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. No one who doesn't have the private key can forge such a signature.

gpg (GNU Privacy Guard) is the tool used in secure apt to sign files and check their signatures.

apt-key is a program that is used to manage a keyring of gpg keys for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg (not to be confused with the related but not very interesting /etc/apt/trustdb.gpg). apt-key can be used to show the keys in the keyring, and to add or remove a key.

Each time you add another apt repository to /etc/apt/sources.list, you'll also have to give apt its key if you want apt to trust it. Once you have obtained the key, you can validate it by checking the key's fingerprint and then signing this public key with your private key. You can then add the key to apt's keyring with apt-key add <key>

Solution 2:

You need repository keys so you can validate you got the package from the person you think you're getting it from.

It's to keep people from injecting bad packages into your updates.

You should add repository keys whenever you can.

Related

How to disable all scopes, filters and dash plugins?
With an SSD, do I need to change my swappiness to increase SSD life?
How can I install the flash player for Chromium in Ubuntu 16.04? [duplicate]
Can and should UDF be used as a hard drive format?
Why is Canonical choosing QT over GTK for Unity's next generation?
loadparm.c:4864, leaking memory?
How do I configure Thunderbird to send plain text emails by default?
Can I view Firefox history with the terminal?
Printer problems after installing Ubuntu 20.04
Why do shells call fork()?
Is there Split Pane support in Gedit?
How to switch between headphones and speakers without unplugging headphones