Debian中SecureApt的使用

自apt 0.6开始, debian使用一种强加密算法用来验证下载到的软件包. 这一功能通常被称为安全apt(secure apt), 如果不添加任何公钥, 安装或升级软件包时会有如下提示:

root@guoliang:~# apt-get install zip Reading package lists... Done Building dependency tree... Done The following NEW packages will be installed   zip 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/107kB of archives. After unpacking 213kB of additional disk space will be used. WARNING: The following packages cannot be authenticated!   zip Install these packages without verification [y/N]? n E: Some packages could not be authenticated

表示系统无法验证这个软件包. 要想验证这个软件包, 则需要安装debian的公钥, 过程如下:

下载文件http://ftp-master.debian.org/ziyi_key_2006.asc, 用apt-key命令安装.

root@guoliang:~/zip# wget http://ftp-master.debian.org/ziyi_key_2006.asc --14:10:58--  http://ftp-master.debian.org/ziyi_key_2006.asc            => `ziyi_key_2006.asc' Connecting to 172.168.1.200:8000... connected. Proxy request sent, awaiting response... 200 OK Length: 2,017 (2.0K) [text/plain] 100%[==================================================================================================>] 2,017         --.--K/s              14:11:00 (71.24 MB/s) - `ziyi_key_2006.asc' saved [2017/2017] root@guoliang:~/zip# apt-key add ziyi_key_2006.asc OK root@guoliang:~/zip#

也可以使用gpg特有的方式, 从key server上下载这个共钥, 然后安装, 命令如下:

gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F gpg -a --export 2D230C5F | sudo apt-key add -

运行这个命令需要你的linux机器直接或者使用nat方式连接到互连网, 而不是使用代理. 安装共钥后可以使用apt-key list查看当前系统持有的共钥

root@guoliang:~# apt-key list /etc/apt/trusted.gpg -------------------- pub   1024R/1DB114E0 2004-01-15 [expired: 2005-01-27] uid                  Debian Archive Automatic Signing Key (2004) <[email protected]> pub   1024D/4F368D5D 2005-01-31 [expired: 2006-01-31] uid                  Debian Archive Automatic Signing Key (2005) <[email protected]> pub   1024D/B5F5BBED 2005-04-24 uid                  Debian AMD64 Archive Key <[email protected]> sub   2048g/34FC6FE5 2005-04-24 pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] uid                  Debian Archive Automatic Signing Key (2006) <[email protected]>

目前使用的公钥是2D230C5F, 到期日期为2007-02-07, 2007-02-07后还需要更换新的公钥. Debian的公钥有效期是1年, 也就是说没隔1年需要更换一次公钥.

安装公钥, 使用apt-get update更新apt源后, 再安装软件包的时候就不会有这些烦人的提示了

root@guoliang:~# apt-get install zip Reading package lists... Done Building dependency tree... Done The following NEW packages will be installed   zip 0 upgraded, 1 newly installed, 0 to remove and 60 not upgraded. Need to get 0B/107kB of archives. After unpacking 213kB of additional disk space will be used. debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process Selecting previously deselected package zip. (Reading database ... 63974 files and directories currently installed.) Unpacking zip (from .../archives/zip_2.32-1_i386.deb) ... Setting up zip (2.32-1) ...

参考资料
http://wiki.debian.org/SecureApt