Join Log in
Score:0
iamnytik avatar Ubuntu

How to make the default ubuntu repositories trustable again?

ga flag
iamnytik

So the other day some of my repos(including PPA's) started throwing signature. Every time I try to update my repos I end up with this error

sudo apt update

Get:1 http://archive.ubuntu.com/ubuntu kinetic InRelease [267 kB]
Err:1 http://archive.ubuntu.com/ubuntu kinetic InRelease
  At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://archive.ubuntu.com/ubuntu kinetic InRelease: At least one invalid signature was encountered.
E: The repository 'http://archive.ubuntu.com/ubuntu kinetic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

basically I had proceeded to disable all of my PPA's and even deleted all files under /etc/apt/trusted.gpg.d with the unintended consequence that none of my repos are trusted even default repositories like http://archive.ubuntu.com/ubuntu kinetic main universe multiverse is untrusted.so

I opened up the Software&Updates App and it shows nothing in contrast to a normal Ubuntu VM

Ubuntu Trusted Software

So,how can I make the default Ubuntu repositories trusted again?

Edit 1:

Okay so I read the man page for apt-secure it it says

Blockquote

   The chain of trust in Debian starts (e.g.) when a maintainer uploads a new package or a new version of a package to the Debian archive. In
   order to become effective, this upload needs to be signed by a key contained in one of the Debian package maintainer keyrings (available in
   the debian-keyring package). Maintainers' keys are signed by other maintainers following pre-established procedures to ensure the identity
   of the key holder. Similar procedures exist in all Debian-based distributions.

   Once the uploaded package is verified and included in the archive, the maintainer signature is stripped off, and checksums of the package
   are computed and put in the Packages file. The checksums of all of the Packages files are then computed and put into the Release file. The
   Release file is then signed by the archive key for this Ubuntu release, and distributed alongside the packages and the Packages files on
   Ubuntu mirrors. The keys are in the Ubuntu archive keyring available in the ubuntu-keyring package.

Also it appears that apt-key is deprecated or doesn't work from any version above Jammy jellyfish (22.04) now?(I have Kinetic Kudu installed 22.10)

Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section shows how to replace existing use of apt-key.

   If your existing use of apt-key add looks like this:

   wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -

   Then you can directly replace this with (though note the recommendation below):

   wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

   Make sure to use the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (also known as "GPG key
   public ring"). The binary OpenPGP format works for all apt versions, while the ASCII armored format works for apt version >= 1.4.

   Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the
   Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4,
   /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When using a deb822-style sources.list, and
   with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring directly in the sources.list
   without an additional file.

And apt version is 2.53

    apt -v
apt 2.5.3 (amd64)

take a look:-

sudo apt-key list
create_gpg_home:trap:14: undefined signal: ABRT

This is the only question (it remains unanswered) that I could find that this error 22.04 - Errors on apt update after docker engine installation

could this help?

Edit2

There seems to be a few community member that have had a similar issue Force update from unsigned repository but in my case, I am unable to use apt-key do do anything because I keep getting undefined signal: ABRT

sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117
create_gpg_home:trap:14: undefined signal: ABRT

Also forcefully trusting the repos especially for receiving OS updates and patches isn't the best security practice :/.

631
1 + 4
apt
nobody avatar
gh flag
nobody
Keyrings are also stored under `/usr/share/keyrings/` But I'm not sure if simple cp them back to `/etc/apt/trusted.gpg.d/` will fix this issue.
1
Reply
iamnytik avatar
ga flag
iamnytik
It doesn't seems to work.the problem still persists.
0
Reply
nobody avatar
gh flag
nobody
Please take a look here https://askubuntu.com/questions/732985/force-update-from-unsigned-repository
1
Reply
iamnytik avatar
ga flag
iamnytik
I have taken a look at that but most answers tell you to either force the trust or use apt-key which doesn't seem to work anymore :(
0
Reply
Score:0
iamnytik avatar Ubuntu
ga flag
iamnytik

Hey Guys So I figured out the answer to my problem,and its' suprisingly easy to solve.

  1. Go to your repositories link in a web-browser (for example, this Ubuntu repository)

  2. dig around in the file structure for a .gpg key and download it (it might vary repo to repo) for me I found it in the /project subfolder

How the gpg file looks like

3.Double click or open the .gpg file with Passwords&Keys App,double click on the imported key and switch on the "I trust the signatures from this key and other keys" button and make sure you select Full under owner Trust drop-down menu.It should be called "Ubuntu Archive Automatic Signing key"

trusting the gpg key

I'm not sure if we would have to stop at Step3 but after this last step everything worked after this

4.Finally copy the Public Key id (40976EAF437D05B5 in my case ) and paste it into the search box of. [ Ubuntu's Key server ][5] scroll to the very end and copy the latest signature ( 645bc435a86554d2 worked for me) and finally paste it into the terminal using these commands

gpg --keyserver  keyserver.ubuntu.com  --recv-key  645bc435a86554d2
gpg: key 645BC435A86554D2: public key "[email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
deb@bed:~$ gpg -a --export 645bc435a86554d2  |  sudo apt-key add -
[sudo] password for deb: 
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg --keyserver keyserver.ubuntu.com --recv-key  645bc435a86554d2

Now you can sudo apt install should work and not throw any gpg errors :)

you can verify this by going to the Software&Updates App and moving to the Authentication Tab :).

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.