How do I bypass/ignore the gpg signature checks of apt?
Solution 1:
Pass the --allow-unauthenticated
option to apt-get
as in:
sudo apt-get --allow-unauthenticated upgrade
From tha manual page of apt-get
:
--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.
You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/
dir. The filename can be 99myown
and it may contain this line:
APT::Get::AllowUnauthenticated "true";
In this way, you don't need to use the option every time you want to install software. Note: I do not recommend setting this option by default, it bypasses signature checks that could allow an adversary to compromise your computer.
Solution 2:
If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.
The below script is not recommended if you can install the keys from a keyserver or download them from a trusted source via https, but if you don't have ANY other way, you can use this.
echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list
sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update
## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`
apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname
## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed
apt-get update
apt-get install somepkg-from-repo
I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6
and avoid all the extra package hassles.
Solution 3:
Maybe you can try to create the file /etc/apt/apt.conf (it will be read if you create it) and insert this code:
APT{Ignore {"gpg-pubkey"; }};