Debian中SecureApt的使用

自apt 0.6开始, debian使用一种强加密算法用来验证下载到的软件包. 这一功能通常被称为安全apt(secure apt), 如果不添加任何公钥, 安装或升级软件包时会有如下提示:

[code]root@guoliang:~# apt-get install zip
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
zip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/107kB of archives.
After unpacking 213kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
zip
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated[/code]

表示系统无法验证这个软件包. 要想验证这个软件包, 则需要安装debian的公钥, 过程如下:

下载文件http://ftp-master.debian.org/ziyi_key_2006.asc, 用apt-key命令安装.

[code]root@guoliang:~/zip# wget http://ftp-master.debian.org/ziyi_key_2006.asc
--14:10:58-- http://ftp-master.debian.org/ziyi_key_2006.asc
=> `ziyi_key_2006.asc'
Connecting to 172.168.1.200:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 2,017 (2.0K) [text/plain]

100%[==================================================================================================>] 2,017 --.--K/s

14:11:00 (71.24 MB/s) - `ziyi_key_2006.asc' saved [2017/2017]

root@guoliang:~/zip# apt-key add ziyi_key_2006.asc
OK
root@guoliang:~/zip#[/code]

也可以使用gpg特有的方式, 从key server上下载这个共钥, 然后安装, 命令如下:

[code]gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5Fgpg -a --export 2D230C5F | sudo apt-key add -[/code]

运行这个命令需要你的linux机器直接或者使用nat方式连接到互连网, 而不是使用代理. 安装共钥后可以使用apt-key list查看当前系统持有的共钥

[code]root@guoliang:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
uid Debian Archive Automatic Signing Key (2004)

pub 1024D/4F368D5D 2005-01-31 [expired: 2006-01-31]
uid Debian Archive Automatic Signing Key (2005)

pub 1024D/B5F5BBED 2005-04-24
uid Debian AMD64 Archive Key
sub 2048g/34FC6FE5 2005-04-24

pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006) [/code]

目前使用的公钥是2D230C5F, 到期日期为2007-02-07, 2007-02-07后还需要更换新的公钥. Debian的公钥有效期是1年, 也就是说没隔1年需要更换一次公钥.

安装公钥, 使用apt-get update更新apt源后, 再安装软件包的时候就不会有这些烦人的提示了

[code]root@guoliang:~# apt-get install zip
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
zip
0 upgraded, 1 newly installed, 0 to remove and 60 not upgraded.
Need to get 0B/107kB of archives.
After unpacking 213kB of additional disk space will be used.
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process
Selecting previously deselected package zip.
(Reading database ... 63974 files and directories currently installed.)
Unpacking zip (from .../archives/zip_2.32-1_i386.deb) ...
Setting up zip (2.32-1) ...[/code]