How to get apt-get source verification working?

verification apt-get

Example (Using Debian Wheezy):

sudo apt-get source hello

Result:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 705 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (dsc) [1287 B]
Get:2 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (tar) [697 kB]
Get:3 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (diff) [6598 B]                                                               
Fetched 705 kB in 8s (80.6 kB/s)                                                                                                              
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Wed Feb 13 10:30:20 2013 UTC using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.8-3.dsc
dpkg-source: info: extracting hello in hello-2.8
dpkg-source: info: unpacking hello_2.8.orig.tar.gz
dpkg-source: info: unpacking hello_2.8-3.debian.tar.gz

The dpkg-dev and debian-keyring package is already installed.

I tried running apt-get source as user, as root, used "gpg --recv-keys 9F1B8B32" beforehand as user and as root. Nothing helped to get the downloaded sources verified.

How can I get rid of this "dpkg-source: warning: failed to verify signature" warning?


Solution 1:

do

apt-get install debian-keyring

to install all debian developer keyrings. It would check after that.

Solution 2:

It is debian-keyring you want (the .dsc file being checked is signed by the maintainer) but installing debian-keyring still leaves some plumbing to be done to make gpg consider the developer keys (automatically considering them would be a can of worms, which is presumably why the plumbing isn't done as part of post-install).

If it's a one-off, recheck the .dsc after the fetch using:

gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify *.dsc

If you'll be grabbing several, add:

keyring /usr/share/keyrings/debian-maintainers.gpg

to your ~/.gnupg/gpg.conf; from then on, gpg (and gpgv) will consider the developer/maintainer keys for signature verification. (If you're paranoid, you could use /usr/share/keyrings/debian-keyring.gpg which includes full developers but not maintainers.)

Neither approach will make the keys be considered valid, but that's probably what you want — if you obtained debian-keyring with a sanely configured apt-get/aptitude and that package's signature was checked, you can have reasonable confidence that the keys in there really belong to the developers/maintainers.

Related

How can I grep a hex value in a string in a binary file?
Permanently disable screensaver Fedora 19
How to make a chart that graphs frequency of entries?
Check to see if NGINX is installed on UBUNTU
BASH - merge directories when using mv
Convert .oxps file to .pdf file on Windows 8
MySQL - "Root Element is Missing"
How do I use latexmk with MuPDF as the PDF previewer?
How to change the Body font in Outlook
Prevent heading from being located at the bottom of a page, but without setting it to always be at the top of a new page
What's the terminal command for auto pressing [Y]?
What is an antenna chain and how do I figure out the correct setting for my router?