What are the GPG signatures

apt repository gnupg launchpad

Solution 1:

What is GPG?

GPG, or GNU Privacy Guard, is a suite of cryptographic software. It can be used to encrypt or sign data and communications to ensure its authenticity.

This type of cryptography is based on key pairs. A public key is hosted on a key server (e.g. keyserver.ubuntu.com) and the private key is kept secret. Using the public key, one can verify the signature made by a private key. Likewise, knowing someone's public key will allow you to encrypt a message that can only be read by the holder of the corresponding secret key.

Further Reading: GnuPG for Daily Use (a Mini How-To...)

What's this have to do with me?

In this context, the apt repository that you are downloading a package from should be signed by a secret key so that you can verify that the packages you are installing come from where they say they are.

The actual file in the repository that is signed is the Release file. This file contains the checksums of a number other files in the repository. For instance, here is the file for official Ubuntu 12.10 repository and its corresponding GPG signature. When you install a package, apt verifies the signature.

Further Reading: All about secure apt

Common Issues

The public key for the official Ubuntu archive is already know by your computer, but if you want to add a PPA or third-party repository you must import their key. If you try to update a repository whose key you don't have, you'll see warnings like:

W: GPG error: http://ppa.launchpad.net oneiric Release: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY B725097B3ACC3965

When you install a package from that repository, you will also receive a warning:

WARNING: The following packages cannot be authenticated!
  dropbox
Install these packages without verification [y/N]?

While these warnings can be silenced by running apt with the --allow-unauthenticated flag, but it is better to add the key to your system so that you can take advantage of the added security.

When adding a PPA you should use the add-apt-repository tool as this will automatically handle adding the key for you. If you need to add the key manually, use the following command:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY_ID_HERE

If you'd rather do this with out using the terminal, consult this answer.

Related

How heavy on resources is Cinnamon desktop environment?
Column view mode with Nautilus (like Mac OS X Finder) [duplicate]
Document Management System
Can I update Ubuntu from a point release CD?
I've filed an ITP bug on bugs.debian.org - now how do I get the package into Ubuntu?
Setting Default Byobu screens
What's the difference of partition type and filesystem type?
rm: cannot remove `/run/user/root/gvfs': Is a directory
Ubuntu Phone Emulator and Developer Phone Release Date
How to bind Alt+Arrows to PageUp/PageDown?
Is dnsmasq not loading because of a Network Manager conflict?
Why do I get an "Operation not permitted" error when running duplicity as sudo?