Is Ubuntu's archive signing key available via HTTPS somewhere?
The keys are available in the ubuntu-keyring package. So, as with any Ubuntu package, you can download it from Launchpad, which does provide HTTPS (pick a suitable release and download the tarballs or deb files as needed).
As it happens, you can get GnuPG2 to import the keys over HKPS (HKP with SSL), so it's possible to --recv-keys securely, but the process is a bit annoying. To use HKPS, we need to:
- tell
dirmngrto use an HKPS keyserver - tell
dirmngrwhere the CA Certificates are - get the keys via
gpg2instead ofgpg- theapt-keycommand callsgpg, andgpgdoesn't seem to support HKPS (at any rate, it tries to execute/usr/lib/gnupg/gpgkeys_hkpwhich fails with an unsupported protocol error) - export the key and import it with
sudo apt-key add
HKPS and dirmngr
Ideally, we're supposed to use gpgconf to set configuration options for dirmngr and gpg2. But gpgconf doesn't understand one option we use, --hkp-cacert for dirmngr. So we might as well do it all manually.
First, let's create a symbolic link to /etc/ssl/certs/ca-certificates.crt because dirmngr wants a PEM extension:
ln -s /etc/ssl/certs/ca-certificates.crt ~/.ca-certs.pem
Edit ~/.gnupg/dirmngr.conf (create if necessary) and add these two options to it:
keyserver hkps://keyserver.ubuntu.com
hkp-cacert ~/.ca-certs.pem
Kill dirmngr if necessary:
pkill dirmngr
Import key with GnuPG2
With the dirmngr options set, this is simple:
$ gpg2 --verbose --recv-keys 0xBA6932366A755776
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: data source: https://cassava.canonical.com:443
gpg: armor header: Version: SKS 1.1.6
gpg: armor header: Comment: Hostname: keyserver.ubuntu.com
gpg: pub rsa4096/6A755776 2017-07-29 Launchpad PPA for deadsnakes
gpg: key 6A755776: "Launchpad PPA for deadsnakes" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Yay!
Add key to apt
Another simple step:
$ gpg2 --export 0xBA6932366A755776 | sudo apt-key add
OK
Optionally, we can now delete the added key from the user keyring, since it's unlikely to be needed again:
$ gpg2 --delete-keys 0xBA6932366A755776
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/6A755776 2017-07-29 Launchpad PPA for deadsnakes
Delete this key from the keyring? (y/N) y
These steps are not difficult to automate.
I suggest you use ""gpg --recv-keys" , apt will then confirm the key
How apt uses Release.gpg
Secure apt always downloads Release.gpg files when it's downloading Release files, and if it cannot download the Release.gpg, or if the signature is bad, it will complain, and will make note that the Packages files that the Release file points to, and all the packages listed therein, are from an untrusted source. Here's how it looks during an apt-get update:
W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
See http://wiki.debian.org/SecureApt
and http://wiki.debian.org/SecureApt#How_to_tell_if_the_key_is_safe