How to get apt-get source verification working?

Example (Using Debian Wheezy):

sudo apt-get source hello

Result:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 705 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (dsc) [1287 B]
Get:2 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (tar) [697 kB]
Get:3 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (diff) [6598 B]                                                               
Fetched 705 kB in 8s (80.6 kB/s)                                                                                                              
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Wed Feb 13 10:30:20 2013 UTC using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.8-3.dsc
dpkg-source: info: extracting hello in hello-2.8
dpkg-source: info: unpacking hello_2.8.orig.tar.gz
dpkg-source: info: unpacking hello_2.8-3.debian.tar.gz

The dpkg-dev and debian-keyring package is already installed.

I tried running apt-get source as user, as root, used "gpg --recv-keys 9F1B8B32" beforehand as user and as root. Nothing helped to get the downloaded sources verified.

How can I get rid of this "dpkg-source: warning: failed to verify signature" warning?

user28464

Posted 2013-08-01T17:42:10.407

Reputation: 81

Worked for me with apt-get source hello-debhelper, and I was root in root dir. – ling – 2014-12-01T21:02:45.680

try it with gpg --keyserver keyring.debian.org --recv-keys 9F1B8B32? – Angs – 2013-08-01T17:58:49.120

Did not help... – user28464 – 2013-08-01T18:40:56.770

Answers

apt-get install debian-keyring

to install all debian developer keyrings. It would check after that.

Matija Nalis

Posted 2013-08-01T17:42:10.407

Reputation: 2 107

Unfortunately, it must read apt-get install debian-keyring/sid to work most of the time. – Tino – 2015-03-08T05:55:53.340

1This (without /sid) worked for me on Debian Jessie – JinnKo – 2015-06-08T20:09:06.980

The dpkg-dev and debian-keyring package is already installed. Edited the original question with that information. – user28464 – 2013-08-01T18:18:23.060

@user28464 that is most strange, can you try "apt-get update; apt-get install --reinstall debian-keyring"? what does "ls -l /usr/share/keyrings" return? – Matija Nalis – 2013-08-01T19:32:49.370

It is debian-keyring you want (the .dsc file being checked is signed by the maintainer) but installing debian-keyring still leaves some plumbing to be done to make gpg consider the developer keys (automatically considering them would be a can of worms, which is presumably why the plumbing isn't done as part of post-install).

If it's a one-off, recheck the .dsc after the fetch using:

gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify *.dsc

If you'll be grabbing several, add:

keyring /usr/share/keyrings/debian-maintainers.gpg

to your ~/.gnupg/gpg.conf; from then on, gpg (and gpgv) will consider the developer/maintainer keys for signature verification. (If you're paranoid, you could use /usr/share/keyrings/debian-keyring.gpg which includes full developers but not maintainers.)

Neither approach will make the keys be considered valid, but that's probably what you want — if you obtained debian-keyring with a sanely configured apt-get/aptitude and that package's signature was checked, you can have reasonable confidence that the keys in there really belong to the developers/maintainers.

ZakW

Posted 2013-08-01T17:42:10.407

Reputation: 263

Isn't it that apt-get source uses dscverify to check signatures? squeeze's manpage for dscverify lists /usr/share/keyrings/debian-maintainers.gpg as one of the places to search for the debian keyring. – x-yuri – 2015-06-07T09:07:23.987

The important detail missing here is that you need the keyring from sid, not the keyring from stable, because only sid's keyring carries all the developers. Notice the /sid in next line:

apt-get install debian-keyring/sid

To get sid you usually need a line like following in /etc/apt/source.list:

deb http://http.debian.net/debian/ sid main

(And don't forget to apt-get update afterwards.)

But beware! If sid sits in your sources.list your system tends to morph into sid against your will. To prevent that, add a line to /etc/apt/apt.conf which looks like:

APT::Default-Release "stable";

(There are gazillions of other ways to prevent sid, this one is the most easy one I know.)

Notes:

Clue to this solution was found at http://debian.distrosfaqs.org/debian-user/signature-of-wheezys-linux-source-package/
Before I found this I stumbled upon thousands of pages telling you to simply fetch the missing key from a keyserver: Never do such a stupid thing to verify a signature! If a MitM was able to send you a faked package, the same one is able to send you a faked answer of the keyserver as well. Hence a key pulled from a keyserver just is plain snakeoil. (And in a security context believing in "snakeoil" is the probably most stupid thing you can do.)

Tino

Posted 2013-08-01T17:42:10.407

Reputation: 906

Judging from "gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error" line, you must be running into gpg's bug. In the end apt-get source runs gpg with --no-option switch. Which fails if no homedir (~/.gnupg) exists. One can remedy this with: gpg -k. More details here.

x-yuri

Posted 2013-08-01T17:42:10.407

Reputation: 225