What is a repository key under Ubuntu and how do they work?
I found a nice explanation from Ubuntu Community Help Wiki.
- What are Repositories?
"Authentication keys" are usually obtained from the maintainer of the software repository. The maintainer will often place a copy of the authentication key on a public key server such as www.keyserver.net. The key can then be retrieved using the command.
Apt Authentication
Apt-get
package management uses public key cryptography to authenticate downloaded packages.
- Debian does an excellent job of explaining Secure apt on this wiki page.
What follows is a short summary of the key acquisition and verification process gleaned from Debian's wiki page.
Basic Concepts Public key cryptography is based on pairs of keys, a
public key
and aprivate key
. Thepublic key
is given out to the world; theprivate key
must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It's also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. No one who doesn't have the private key can forge such a signature.gpg (GNU Privacy Guard) is the tool used in secure apt to sign files and check their signatures.
apt-key is a program that is used to manage a keyring of gpg keys for secure apt. The keyring is kept in the file
/etc/apt/trusted.gpg
(not to be confused with the related but not very interesting/etc/apt/trustdb.gpg
). apt-key can be used to show the keys in the keyring, and to add or remove a key.Each time you add another apt repository to
/etc/apt/sources.list
, you'll also have to give apt its key if you want apt to trust it. Once you have obtained the key, you can validate it by checking the key's fingerprint and then signing this public key with your private key. You can then add the key to apt's keyring withapt-key add <key>
You need repository keys so you can validate you got the package from the person you think you're getting it from.
It's to keep people from injecting bad packages into your updates.
You should add repository keys whenever you can.