Differences
This shows you the differences between two versions of the page.
| — |
devuan-vua-expert1-devuan-repositorios [2017/05/28 18:03] (current) mckaygerhard created apt and repository management related tips page |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Devuan VUA: Repository APT and DEB tricks and tips ====== | ||
| + | ===== APT auto GPG checks updates ===== | ||
| + | |||
| + | Repositories for Devuan are signed with GPG keys that verify integrity. | ||
| + | |||
| + | The main repository archive when has to be signed by a new key, which your system does not know about, this behavior are management and notified by updating and upgrading the **devuan-keyring** and the **debian-archive-keyring** packages, and any warning will go away. | ||
| + | |||
| + | ===== APT bypass GPG checks ===== | ||
| + | |||
| + | Since secure apt was introduced, the gpg must not be bypassed due implicts a security risk, gpg check for integrity of files related, but some cases are special, so there two ambits for do that: | ||
| + | |||
| + | ==== 1) FOR REPOSIRORIES AS COMMON CASES: ==== | ||
| + | |||
| + | The repository pgp sign its the most used, the keys used to sign the main repository archive have changed a couple of times, so there's a option to bypass that checks if some gpg are still older, failed or missing: | ||
| + | |||
| + | Add this to the command: | ||
| + | |||
| + | -o Acquire::Check-Valid-Until=false | ||
| + | |||
| + | For example: | ||
| + | |||
| + | sudo apt-get -o Acquire::Check-Valid-Until=false update | ||
| + | |||
| + | This will allow to bypass the gpg if are expired or older, and still yet not refreshed. | ||
| + | |||
| + | ==== 2) FOR PACKAGES ONLY: ==== | ||
| + | |||
| + | There are **package signatures**, but are not widely used (we use secure apt instead for complete repositories), and there's a package called **debsig-verify** that checks for signatures embedded inside individual Debian packages. | ||
| + | |||
| + | Pass the --allow-unauthenticated option to apt-get as in: | ||
| + | |||
| + | sudo apt-get --allow-unauthenticated upgrade | ||
| + | |||
| + | From that manual page of apt-get: | ||
| + | |||
| + | --allow-unauthenticated | ||
| + | Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated. | ||
| + | |||
| + | You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line: | ||
| + | |||
| + | APT::Get::AllowUnauthenticated "true"; | ||
| + | |||
| + | This will permit install from repository that you not have the gpg for verify yet!. | ||
