为什么建议的 BADSIG(在 apt-get 更新上)修复是安全的?
我正在运行apt-get update,我看到类似的错误
W: GPG error: http://us.archive.ubuntu.com precise Release:
The following signatures were invalid:
BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
不难找到有关如何解决这些问题的说明,例如通过请求新密钥apt-key adv --recv-keys或重建缓存;所以我不是在问如何解决这些问题。
但为什么这是正确的做法呢?为什么“哦,我需要新密钥?很酷,去获取新密钥”而不是一开始就违背了拥有签名存储库的目的?密钥是否由apt-key检查的主密钥签名?我们是否应该进行一些额外的验证以确保我们获得合法的密钥?
Relevant basic concepts about the idea behind GPG signature and how it ensures a more secure signed repository:
In my opinion, the proposed fixes aren't secure. A more secure solution would be to blow out everything in /var/lib/apt/lists/ as suggested in this answer. I suggest this because, apt automatically checks for the integrity of the package and is a much hassle-free solution compared to hunting down each of the keys.
That doesn't mean you shouldn't manually add the keys, but only if you know how to check if the keys are valid. Some ways of checking the integrity of the package / validity of the key:
- Cross checking if the GPG key is already listed in
releases.gpgfile. If it already is available, you can be rest assured that the key is secure because only the keys of trusted developers are included in thereleases.gpgfile. - install
debsig-verifypackage (manpage for thedebsig-verifycommand
). It automatically verifies the source and the validity of the Debian package itself. Though, you might run into weird problems from time to time since debsig-verifychecks for signatures embedded inside of Debian packages, something that is not widely practised since the advent of secure-apt.
So, the accepted solution at What is the easiest way to resolve apt-get BADSIG GPG errors? is not exactly recommended nor secure for the average Joe, as he would probably have neither the time, patience or awareness to check if the solution is secure enough for him. Instead, the second answer on that question should be recommended for its simplicity and a more guaranteed security.
Relevant:
- What precautions should I take with .debs I find on the internet?
- Are PPA's safe to add to my system and what are some "red flags" to watch out for?
| 归档时间: |
|
| 查看次数: |
1347 次 |
| 最近记录: |