APT – Bypass GPG Signature Checks for Single Repository

aptrepository

I have read the following article: How do I bypass/ignore the gpg signature checks of apt?

It outlines how to configure apt to not check the signatures of packages at all.

However, I'd like to limit the effect of this setting to a single (in this case locally hosted) repository.

That is: all official repositories should use the GPG signature check as usual, except for the local repo.

How would I go about doing that?

Failing that, what would be the advantage (security-wise) of signing the packages during an automated build (some meta-packages and a few programs) and then doing all that secure apt prescribes? After all the host with the repo would then also be the one on which the secret GPG key resides.

Best Answer

You can set options in your sources.list:

deb [trusted=yes] http://localmachine/debian wheezy main

The trusted option is what turns off the GPG check. See man 5 sources.list for details.

Note: this was added in apt 0.8.16~exp3. So it's in wheezy (and of course jessie), but not squeeze.

Related Solutions

Debian – Why is there no https transport for debian apt tool

There is. You need to install the package apt-transport-https. Then you can use lines like

 deb https://some.server.com/debian stable main

in your sources.list file. But usually that's not necessary, since the entire content is public anyway and it adds encryption overhead and latency. Since you don't trust an attackers public key, even http traffic is safe from MitM attacks. apt will warn you and fail to install the packages when an attacker injects manipulated packages.

EDIT: As mentioned in the comments it is indeed more secure to use the TLS repository. Research shows that using apt on unencrypted repositories can indeed pose a security risk as the HTTP transport is vulnerable to replay attacks.

Debian 9, APT, and “GPG error: … InRelease: The following signatures were invalid:”

The cause of the problem is that with no update to the Debian wiki or other similar doco, and pretty much only a couple of largely Ubuntu-related announcements on a non-Debian personal WWW site, support for keys that state a preference for SHA-1 encryption has been turned off in APT as of Debian 9. (Specifically, it was turned off in APT version 1.4~beta1, and Debian 9 has version 1.4.7.)

So a repository publisher needs to do two things:

Adjust the personal-digest-preferences and personal-cipher-preferences in $HOME/.gnupg/gpg.conf to eliminate SHA-1 from one's GPG preferences. This prevents the problem coming back with new keys.
Adjust the preferences that are contained in the current repository signing key to eliminate SHA-1 from there too. For that one needs to:
- Run
```
gpg --edit-key "${key_fingerprint}"
```
  substituting the appropriate key fingerprint, then edit the key preferences with the pref and setpref commands, then save the key to the keyring.
- Export the public key of the updated key from the keyring to a file.
- Re-sign the repository with the modified signing key.
- Publish the updated signing key's public key file.

Note that it is not necessary to generate a new signing key, and that the updated key with SHA-1 removed will continue to interoperate with the older Debian 8 APT.

Best Answer

Related Solutions

Debian – Why is there no https transport for debian apt tool

Debian 9, APT, and “GPG error: … InRelease: The following signatures were invalid:”

Further reading

Related Question