Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY

Solution 1:

Can anyone break the cycle for me?

You are basically just experiencing the standard bootstrapping problem for public key cryptography.

There are many places you can download the public keys for the various archives, but frequently they are not provided over HTTPS, and any checksum files are delivered from the same location.

That wiki link you provided links off to https://ftp-master.debian.org/keys.html which has provides a copy of the keys you can download over SSL. The problem of course is that the cert for ftp-master.debian.org is signed by ca.debian.org, which is not distributed with the most common web browsers.

You basically just have to find a way to get a copy of debian-archive-keyring, or the current key from system that you trust, and the install it onto your system. If you are really paranoid, you might have to grab a copy of the archive, and have someone else grab a copy from another mirror on a different computer over a different network. Then compare the checksums.

If you are not extremely paranoid, or in a high security environment, then just let apt-get install debian-archive-keyring install, and ignore the warning.

It would take a lot of effort for someone to setup a MITM between you and the some random http.us.debian.org mirror. Once they did that, they would have to build their own custom debian-archive-keyring package including their evil key in addition to the standard keys. Then they would have to rebuild some packages to force you to install something evil onto your system. The effort involved would not be trivial.

Debian generally does a pretty good job adding keys that will be used to sign the packages in the future to the debian-archive-keyring package. That is one package, that you really want to keep up-to-date. That way, you will key the keys installed before they are used for signing things, and you won't have this problem in the future.

Solution 2:

Your problem is that you didn't install debian-keyring as well. Simply run the following:

apt-get install debian-keyring
apt-get install debian-archive-keyring

That's it.


Solution 3:

Debian - Apt-get : NO_PUBKEY / GPG error

In computers based on a Debian operating system that uses Linux kernel, error messages may come up like 'NO_PUBKEY'.This happens while using the Apt-Get command line tool and this error is associated with the tool's update feature. The new feature in the Apt-Get package management tool guarantees the authenticity of the server before updating the Debian OS. That's why the error 'NO_PUBKEY' pops up. This problem can be solved by keying in the appropriate commands.

Simply type the following commands, taking care to replace the number below with that of the key that was displayed in the error message:

gpg --keyserver pgpkeys.mit.edu --recv-key  AED4B06F473041FA      
gpg -a --export AED4B06F473041FA | sudo apt-key add -

Solution 4:

Two things:

  1. Your sources.list file may be incorrect; are you sure those are the right lines for those repos?

  2. You'll have to manually locate the Release.gpg files on those repos and update the keyring:

wget -q http://backports.debian.org/debian-backports/dists/squeeze-backports/Release.gpg -O -|apt-key add -

You might be playing with fire by mixing lenny with the stable repo