I have read the following article: How do I bypass/ignore the gpg signature checks of apt?
It outlines how to configure apt
to not check the signatures of packages at all.
However, I'd like to limit the effect of this setting to a single (in this case locally hosted) repository.
That is: all official repositories should use the GPG signature check as usual, except for the local repo.
How would I go about doing that?
Failing that, what would be the advantage (security-wise) of signing the packages during an automated build (some meta-packages and a few programs) and then doing all that secure apt
prescribes? After all the host with the repo would then also be the one on which the secret GPG key resides.
Best Answer
You can set options in your
sources.list
:The
trusted
option is what turns off the GPG check. Seeman 5 sources.list
for details.Note: this was added in apt 0.8.16~exp3. So it's in wheezy (and of course jessie), but not squeeze.