1

When I install [email protected] and [email protected] in my Debian Jessie docker image with

apt-get install -y software-properties-common && \
add-apt-repository 'deb http://archive.ubuntu.com/ubuntu trusty universe' && \
apt-get install -y mysql-server-5.6 mysql-client-5.6

I see the following warning

W: GPG error: http://archive.ubuntu.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32

Not sure if adding keys manually with 

  apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5 && \
  apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32

is a stable solution. I've read somewhere that GPG keys could be changed when the repository gets updated (please correct me if I am wrong). Also a GPG key could be installed from a package repository URL like this:

curl -sL http://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -

So I have the following sub-questions there:

  1. Do all package repositories that require keys have an URL that serves public GPG keys?
  2. Is there any format for such URL?
Improve this question

2 Answers 2

Reset to default
1

You are trying to install a package from ubuntu repository on debian, but Debian doesn't have ubuntu keys. Adding a new repository require a trusted gpg key allowing the packages to be authenticated.

Only 3rd part repository require a new gpg key, or in case of a key replacement.

add-apt-repository will add a new repository and add the gpg key.

man add-apt-repository:

  In  the second form, ppa:<user>/<ppa-name> will be expanded to the full
   deb  line  of  the  PPA  and   added   into   a   new   file   in   the
   /etc/apt/sources.list.d/  directory.   The  GPG public key of the newly
   added PPA will also be downloaded and added to apt's keyring.

On debian jessie you don't need to add Ubuntu repository, it is available through the security repository.

Remove the trusty repoitory , then add the following line to your /etc/apt/sources.list:

deb http://security.debian.org/debian-security jessie/updates main

then run:

sudo apt update
sudo apt install mysql-server-5.5

Debian: secure apt

Improve this answer
1
1

In this case, you do indeed have a stable answer. It's referenced in the "official" documentation (https://help.ubuntu.com/community/VerifyIsoHowto#Get_the_key)

In your case you are referencing a "trusted" (by you) keyserver (keyserver.ubuntu.com) and requesting keys by the specific IDs (40976EAF437D05B5 & 3B4FE6ACC0B21F32). Retrieving the keys in this manner allows for the administrators of the Ubuntu infrastructure to handle updates without your intervention. Using the key IDs is actually referencing a cryptographic hash of the key itself.

The only possible improvement I would make is using the "full" key ID which allows for an even more precise retrieval and would necessitate an even more committed attacker.

It should be noted though that the gpg version of the command in the documentation above is for adding the same key to your user keyring so that you can use the key for verification. The apt-key command is adding the key to the apt keyring so that the system can use the key for verification.

As to the sub-questions:

Do all package repositories that require keys have an URL that serves public GPG keys? and Is there any format for such URL?

No. Not all repositories (deb/apt, rpm/yum/dnf) post their keys via a specific "well known" URL. As many of the mechanisms for key retrieval are built into the respective package management system it's left up to that tooling. The one note there is that in the case of RPM based systems, Yum and DNF specify metadata in the repository definition to make it easier for the administrator, but is is not a requirement for use nor is the URI path standardized.

As an aside the process for doing this may get ratified in the future as RFC 5785 and RFC 8615 are now "a thing" but would be a future improvement.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.