Handling apt-key and add-apt-repository rejection using gpg to add external repositories in Ubuntu 22.04 | digital ocean (2023)

introduction

apt-claveis a utility for managing the keys that APT uses to authenticate packages. It is closely related to theadd-apt-repositoryUtility that adds external repositories to the list of trusted sources of an APT installation using keyservers. However, keys are addedapt-clavemiadd-apt-repositoryare trusted all over the worldappropriate. These keys are not limited to authorizing the single repository for which they were intended. Any key added this way can be used to authorize the addition of any other external repository, which is a major security issue.

As of Ubuntu 20.10, usingapt-claveissues a warning that the tool will be deprecated in the near future; also,add-apt-repositoryit will also be discarded soon. While these expiration notices do not strictly preclude the use ofapt-clavemiadd-apt-repositoryin Ubuntu 22.04 it is not recommended to ignore them.

Current best practice is to usegpginstead ofapt-clavemiadd-apt-repository, and in future versions of Ubuntu this will be the only option.apt-clavemiadd-apt-repositoryhave always acted as a wrapper, callinggpgin the back. Weargpgcut directly to the mediator. For this reason thegpgThe method is backwards compatible with Ubuntu and can be used as a replacement forapt-clave.

This tutorial describes two methods for using alternativesapt-clavemiadd-apt-repository, respectively First, an external repository with a public key is addedgpginstead of usingapt-clave. Second, as a supplement, this tutorial covers adding an external repository using a keyserver.gpgas an alternative to usingadd-apt-repository.

requirements

To complete this tutorial, you will need an Ubuntu 22.04 server. Be sure to set this up according to ourInitial server setup instructions for Ubuntu 22.04, with a notfuenteuser withsudoPrivileges and an enabled firewall.

Step 1 – Identify the key components and how

PGP, or Pretty Good Privacy, is a proprietary encryption program used to sign, encrypt, and decrypt files and directories. PGP files are public key files used in this process to authenticate repositories as valid sources withinappropriate. GPG or GNU Privacy Guard is an open source alternative to PGP. GPG files are usuallykey holder, which are files that contain multiple keys. Both file types are commonly used to sign and encrypt files.

gpgis the GPG command line tool for authorizing the use of external repositories withappropriate. However,gpgit only accepts GPG files. To use this command line tool with PGP files, you must convert them.

Elasticsearch represents a general key conversion scenario and is used as an example for this section. You download a PGP-formatted key and convert it to aappropriateFormat compatible with a.gpgfile extension. This is done by running thegpgcommand with the-LiberFlag. Then add the repository link to the package source list while adding a direct reference to your converted key. Finally, verify this process by installing the Elasticsearch package.

Projects that require adding repositories with key validation always provide a public key and a repository URI that represents its exact location. For our Elasticsearch example, theThe documentation specifies these components on its installation page..

These are the components of Elasticsearch:

• I like it:https://artifacts.elastic.co/GPG-KEY-elasticsearch
• Repository:https://artifacts.elastic.co/packages/7.x/apt Stable core

Next, you need to determine if you are going to get a PGP or GPG file to work with. You can view the key file by opening the URL withshirred ruffle:

shirred ruffle -fsSLhttps://artifacts.elastic.co/GPG-KEY-elasticsearch

This will produce the content of the key file, which starts with:

Salida
See Also
Install Docker Engine on Ubuntuapt-key is obsolete. How to add OpenPGP repository signing keys without them on Debian, Ubuntu, Linux Mint, Pop!_OS, etc.Take your development to the next level with DevPod - open source tool - Civo.comSet up static code analysis with SonarQube
-----START OF PGP PUBLIC KEY BLOCK-----. . .

AlthoughGPGin the URL, the first line indicates that it is indeed a PGP key file. note this becauseappropriateit only accepts the GPG format. Originally,apt-clavePGP files recognized and automatically converted to GPG when calledgpgin the back.paso 2covers manual conversion from PGP to GPG and what to do when conversion is not needed.

Step 2 – Download the key and convert it to aappropriateSupported file type

Asgpgmethod, you should always download the key before adding it to the package source list. before withapt-clave, this order was not always applied. Now you need to specify the path to the downloaded key file in your source list. Obviously, if you haven't downloaded the key, you can't point to an existing path.

With Elasticsearch, you're working with a PGP file, so convert it to a GPG file format after you download it. The following example usesshirred ruffleto download the key, directing the download to agpgDomain.gpgmeans with the-LiberFlag to convert the PGP key to a GPG file format, with-Öis used to display the output of the file.

and free or/usr/share/keychainsThe directory is the recommended location for your converted GPG files, as it is the default location where Ubuntu saves its keys. the file is calledelastic-7.x.gpgin this example, but any name will work:

shirred ruffle -fsSLhttps://artifacts.elastic.co/GPG-KEY-elasticsearch| sudogpg-Liber -Ö/usr/share/keyrings/elastic-7.x.gpg

This will convert the PGP file to the correct GPG format so that it can be added to the source list forappropriate.

shirred ruffle -fsSLhttps://artifacts.elastic.co/GPG-KEY-elasticsearch| sudo T-shirt/usr/share/keyrings/elastic-7.x.gpg

Step 3 – Add the repository to your list of package sources

With the key downloaded and in the correct GPG file format, you can add the repository toappropriatePackage the source by explicitly binding it to the key you received. There are three methods to achieve this, all related to howappropriatefind sources.appropriateextract sources from a centersources.listArchive,.Listfiles inSources.List.ddirectory and.Thosefiles inSources.List.dDirectory. While there is no functional difference between the three options, it is recommended that you consider all three options and choose the method that best suits your needs.

Option 1 - Add tosources.listImmediately

The first method is to paste a line representing the font directly into the/etc/apt/sources.list, the main file withappropriateSources. This file contains various fonts, including the default fonts that come with Ubuntu. Editing this file directly is perfectly acceptable, although Option 2 and Option 3 present a more modular solution that is easier to edit and maintain.

Open/etc/apt/sources.listcomnanoyour favorite text editor:

sudo nano/etc/apt/sources.list

Then add the external repository to the end of the file:

/etc/apt/sources.list

. . .deb [arch=amd64,arm64 asesinado por=/usr/share/keyrings/elastic-7.x.gpg] https://artifacts.elastic.co/packages/7.x/apt estable principal

This line contains the following information about the font:

• debt: This indicates that the source uses a regular Debian architecture.
• arco=amd64,brazo64Specifies the architectures for which the APT data will be downloaded. Here it isamd64mibraco64.
• firmado por=/usr/share/keyrings/elastic-7.x.gpg: This specifies the key used to authorize this source and here points to its.gpgfile saved in/usr/share/keychains. This part of the line must be included, whereas previously it was not required in theapt-claveMethod. This addition is the most important change in the portability ofapt-clave, since it binds the key to a single repository, it is allowed to authorize and fix the original vulnerabilityapt-clave.
• https://artifacts.elastic.co/packages/7.x/apt Stable core: This is the URI that specifies the exact location where the data can be found in the repository.
• /etc/apt/sources.list.d/elastic-7.x.list: This is the location and name of the new file to be created.
• /dev/null: This is used when issuing a command is not required. ShowT-shirtat this point there is no way out.

Save and exit by pressingFORCE+OSoFORCE+X.

Option 2 - Create a new one.Listpresent inSources.List.d

With this option, you create a new file in theSources.List.dDirectory.appropriatescan both this directory andsources.listfor additions to the repository. This method allows you to physically isolate the additions to the repository in separate files. If you later need to remove this addition or make changes, you can remove this file instead of editing the core file.sources.listArchive. Keeping your additions separate makes it easier to maintain and editsources.listit may be more error prone in a way that affects other repositories in the archive.

guide for itecologicalcommand in oneT-shirtCommand to create this new file and insert the appropriate line. the file is calledElastic-7.x.Listin the example below, but any name will work as long as it's a unique filename within the directory:

ecological "deb [arch=amd64,arm64 asesinado por=/usr/share/keyrings/elastic-7.x.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo T-shirt/etc/apt/sources.list.d/Elastic-7.x.List >/dev/null

This command is identical to manually creating the file and inserting the appropriate line of text.

Option 3 - Create a.Fuentespresent inSources.List.d

The third method writes to a.Fuentesfile instead of one.ListArchive. This method is relatively new and uses thedeb822multi-line format that is less ambiguous compared to theDebutante. . .statement, but it is functionally identical. Create a new file:

sudo nano/etc/apt/sources.list.d/elastic-7.x.sources

Then add the external repository usingdeb822Format:

/etc/apt/sources.list.d/elastic-7.x.sources

Digite: debArchitectures: amd64 arm64Signed-By: /usr/share/keyrings/elastic-7.x.gpgURIs: https://artifacts.elastic.co/packages/7.x/aptSuites: stableComponents: main

Save and exit after pasting the text.

This is analogous to the single line format, and a line-by-line comparison shows that the information in both is identical, just organized differently. Note that this format does not use commas when there are multiple arguments (for example, withamd64, brazo64) and use spaces instead.

Then verify this process by running a test installation.

Step 4 – Installing the package from the external repository

you have to callproper updateorderappropriatesee through mainsources.listfile and all.Listmi.Fuentesfiles insideSources.List.d. vocationinstall appWithout a previous update, this results in either an installation failure or an out-of-date default package being installedappropriate.

Update your repositories:

sudo appropriateUpdate

Then install your package:

sudo appropriate installlooking for elastic

At this stage, nothing changes regarding thisapt-claveMethod. Once this command completes, you are done with the installation.

Appendix: Adding an external repository using a keyserver

This section briefly explains how to use it.gpgusing a keyserver instead of a public key to add an external repository. The process is almost identical to the public key method, except howgpgis named.

add-apt-repositoryis the keyserver-based counterpart toapt-clave, and both are subject to devaluation. This scenario uses different components. Instead of a key and a repository, it gets a key server URL and a key ID. In that case, you can download from the keyserver directly to the.gpgformat without having to convert anything. Becauseadd-apt-repositorywill be deprecated soon, will use it insteadgpgto a file while overwriting the patterngpgBehavior when importing to an existing keychain.

Using the open source programming language R as an example, these are the specified components that can also be found inInstallation instructions on the official project page.:

• key server:keyserver.ubuntu.com
• ID da chave:E298A3A825C0D65DFD57CBB651716619E084DAB9
• Repository:https://cloud.r-project.org/bin/linux/ubuntu jammy-cran40/

First, download directly from the keyserver withgpg. Please note that this download command may take a while depending on the download traffic:

sudogpg--homedir/tmp --no-default-keyring--Key ring/usr/share/llaveros/R.gpg- key serverkeyserver.ubuntu.com --recv-claves E298A3A825C0D65DFD57CBB651716619E084DAB9

This command contains the following flags, which differ from usagegpgwith public key:

• --no-default-keyringcombined with--Key ringallows output to a new file instead of importing to an existing keyring, which is the default behavior ofgpgIn this stage.
• - key servercombined with--recv-keysit gives you the specific key and the location you are downloading from.
• --homediris used to replace thegpgDefault location to create temporary files.gpgyou must create these files to run the command otherwisegpgI will try to write/Fuentewhich causes a permissions error. Instead, this command places the temporary files in the appropriate directory./tmpDirectory.

Next, add the repository to a.ListArchive. This is done in exactly the same way as adding an external repository with a public key forward toecologicalcommand in oneT-shirtDomain:

ecological "deb [arch=amd64 asinado por =/usr/share/keyrings/R.gpg] https://cloud.r-project.org/bin/linux/ubuntu jammy-cran40/" | sudo T-shirt/etc/apt/sources.list.d/R.list>/dev/null

Then update your repository list:

sudo appropriateUpdate

Then you can install the package:

sudo appropriate installbase r

To usegpgAdding external repositories is similar between public keys and keyservers, except how you call themgpg.

Diploma

An external repository with a public key or a key server can be added viagpg, without useapt-claveoadd-apt-repositoryas intermediary. Use this method to make sure your process won't be deprecated in future Ubuntu releases like:apt-clavemiadd-apt-repositoryThey are deprecated and will be removed in a future release. Add external repositories withgpgensures that a key is only used to authorize a single repository the way you intended.