How do I bypass/ignore the gpg signature checks of apt?

Pass the --allow-unauthenticated option to apt-get as in:

sudo apt-get --allow-unauthenticated upgrade

From tha manual page of apt-get:

--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.

You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line:

APT::Get::AllowUnauthenticated "true";

In this way, you don't need to use the option every time you want to install software. Note: I do not recommend setting this option by default, it bypasses signature checks that could allow an adversary to compromise your computer.


If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.

The below script is not recommended if you can install the keys from a keyserver or download them from a trusted source via https, but if you don't have ANY other way, you can use this.

echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update

## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed

apt-get update
apt-get install somepkg-from-repo

I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.


Maybe you can try to create the file /etc/apt/apt.conf (it will be read if you create it) and insert this code:

APT{Ignore {"gpg-pubkey"; }};

Tags:

Gnupg

Apt