How to get apt-get source verification working?

Question

Example (Using Debian Wheezy):

sudo apt-get source hello

Result:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 705 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (dsc) [1287 B]
Get:2 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (tar) [697 kB]
Get:3 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (diff) [6598 B]                                                               
Fetched 705 kB in 8s (80.6 kB/s)                                                                                                              
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Wed Feb 13 10:30:20 2013 UTC using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.8-3.dsc
dpkg-source: info: extracting hello in hello-2.8
dpkg-source: info: unpacking hello_2.8.orig.tar.gz
dpkg-source: info: unpacking hello_2.8-3.debian.tar.gz

The dpkg-dev and debian-keyring package is already installed.

I tried running apt-get source as user, as root, used "gpg --recv-keys 9F1B8B32" beforehand as user and as root. Nothing helped to get the downloaded sources verified.

How can I get rid of this "dpkg-source: warning: failed to verify signature" warning?

try it with `gpg --keyserver keyring.debian.org --recv-keys 9F1B8B32`? — Angs, Aug 01 '13 at 17:58
Worked for me with apt-get source hello-debhelper, and I was root in root dir. — ling, Dec 01 '14 at 21:02

score 10 · Answer 1 · answered Aug 01 '13 at 18:11

10

do

apt-get install debian-keyring

to install all debian developer keyrings. It would check after that.

answered Aug 01 '13 at 18:11

Matija Nalis

2,616
16
24

The dpkg-dev and debian-keyring package is already installed. Edited the original question with that information. – user28464 Aug 01 '13 at 18:18
@user28464 that is most strange, can you try "apt-get update; apt-get install --reinstall debian-keyring"? what does "ls -l /usr/share/keyrings" return? – Matija Nalis Aug 01 '13 at 19:32
Unfortunately, it must read `apt-get install debian-keyring/sid` to work most of the time. – Tino Mar 08 '15 at 05:55
1

This (without /sid) worked for me on Debian Jessie – JinnKo Jun 08 '15 at 20:09

score 2 · Answer 2 · answered May 17 '14 at 16:46

It is debian-keyring you want (the .dsc file being checked is signed by the maintainer) but installing debian-keyring still leaves some plumbing to be done to make gpg consider the developer keys (automatically considering them would be a can of worms, which is presumably why the plumbing isn't done as part of post-install).

If it's a one-off, recheck the .dsc after the fetch using:

gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify *.dsc

If you'll be grabbing several, add:

keyring /usr/share/keyrings/debian-maintainers.gpg

to your ~/.gnupg/gpg.conf; from then on, gpg (and gpgv) will consider the developer/maintainer keys for signature verification. (If you're paranoid, you could use /usr/share/keyrings/debian-keyring.gpg which includes full developers but not maintainers.)

Neither approach will make the keys be considered valid, but that's probably what you want — if you obtained debian-keyring with a sanely configured apt-get/aptitude and that package's signature was checked, you can have reasonable confidence that the keys in there really belong to the developers/maintainers.

Isn't it that `apt-get source` uses `dscverify` to check signatures? `squeeze`'s manpage for `dscverify` lists `/usr/share/keyrings/debian-maintainers.gpg` as one of the places to search for the debian keyring. — x-yuri, Jun 07 '15 at 09:07

score 0 · Answer 3 · answered Mar 08 '15 at 05:53

The important detail missing here is that you need the keyring from sid, not the keyring from stable, because only sid's keyring carries all the developers. Notice the /sid in next line:

apt-get install debian-keyring/sid

To get sid you usually need a line like following in /etc/apt/source.list:

deb http://http.debian.net/debian/ sid main

(And don't forget to apt-get update afterwards.)

But beware! If sid sits in your sources.list your system tends to morph into sid against your will. To prevent that, add a line to /etc/apt/apt.conf which looks like:

APT::Default-Release "stable";

(There are gazillions of other ways to prevent sid, this one is the most easy one I know.)

Notes:

Clue to this solution was found at http://debian.distrosfaqs.org/debian-user/signature-of-wheezys-linux-source-package/
Before I found this I stumbled upon thousands of pages telling you to simply fetch the missing key from a keyserver: Never do such a stupid thing to verify a signature! If a MitM was able to send you a faked package, the same one is able to send you a faked answer of the keyserver as well. Hence a key pulled from a keyserver just is plain snakeoil. (And in a security context believing in "snakeoil" is the probably most stupid thing you can do.)

score 0 · Answer 4 · edited Apr 13 '17 at 12:14

0

Judging from "gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error" line, you must be running into gpg's bug. In the end apt-get source runs gpg with --no-option switch. Which fails if no homedir (~/.gnupg) exists. One can remedy this with: gpg -k. More details here.

edited Apr 13 '17 at 12:14

Community

1

answered Jun 07 '15 at 07:21

x-yuri

297
2
5
14

How to get apt-get source verification working?

4 Answers4