Fight for the Internet 1!

Tuesday, April 10, 2012

Debian 5.0 Package Authentication

I've got a GNU Linux Debian 5.0 machine here. It's a Western Digital "MyBookLive" sort of machine. Network storage and media device. Have some nice features and runs Linux under the hood. You can log in with SSH and use the command line. I decided this machine needed to be updated with the latest security patches, since I'm use sure it hasn't happened in a long time.

When running the apt-get update command, I get this warning:
WARNING: GPG error: http://ftp.us.debian.org squeeze Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA

"WARNING: The following packages cannot be authenticated!" http://ftp.us.debian.org/debian/
The solution to this is to add the appropriate 'apt-keys' to allow for package digital signature verification. You can do this in Ubuntu as well, since it uses the Debian Package system. (Debian's apt system is one of my favorite features of the distro and all it's derivatives.) You use the program gpg to download the relevant key, fingerprint it, and export it into your armory while adding it as an apt-key.
gpg --keyserver keyserver.ubuntu.com --recv AED4B06F473041FA
gpg --fingerprint AED4B06F473041FA
gpg --export --armor AED4B06F473041FA | sudo apt-key add -
Interesting I don't actually KNOW any Debian Key-server addresses, so I had to use an Ubuntu one, but I knew they would have it. Do this and your package authentication should work.

UPDATE: I discovered the updates I was trying to apply didn't work. Had an unusual error when trying to unpack the dpkg_1.15.8.12_powerpc.deb file. So I went through the web-interface to the device and tried to update there. Fixed the problem, but in an unexpected way. It seemed to roll the system back to previous set-point. Still, fixed my problem, and undid every change I made. I'm not complaining, since it did restore the system to proper working order. I'm not sure if my tweaks were what caused this or not. It even reset my SSHD configurations. (Should always use a non-standard port and limit allowed your users.)

Still, using the above solution does allow me to authenticate any new packages I want to install.