Re: [SLE] Cannot install Unsigned Packages using apt-get.
On 10/23/06, Duff Mckagan <mckagan@gmail.com> wrote:
On 10/23/06, Ed Harrison <eharrison@tampabay.rr.com> wrote:
** Reply to message from Duff Mckagan <mckagan@gmail.com> on Mon, 23 Oct 2006 13:41:39 +0530
I cannot install some softwares. The reason being ..the packages are unsigned!!
How do I install unsigned packages with apt-get?
Go to /etc/apt/conf.d and edit the file "gpg-checker.conf" by adding the line "GPG::Check no;"
This stop checking signatures. There are also some packages available that start "rpmkeys" that provide the signatures.
Thanks. But what are the disadvantages of not checking signatures? I hear the packages will never get updated if they don't have signatures or something like that... Also, while installing some packages, I get an error saying that some packages are not "installable". For example, I tried installing FrostWire and it gave me the following errors. OPPERSKULL:~ # apt-get install FrostWire Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: The following packages have unmet dependencies: FrostWire: Depends: bsh2 but it is not installable Depends: icu4j but it is not installable Depends: jakarta-commons-net but it is not installable Depends: jmdns but it is not installable E: Broken packages
--
Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Monday 23 October 2006 13:34, Duff Mckagan wrote:
Thanks. But what are the disadvantages of not checking signatures?
No evidence of origin. Viruses, trojans, backdoors, spyware, if just one of the servers you use to install from gets hacked, you will install whatever the hackers put your way. With signature checking, this wouldn't happen. But over the past couple of years I've come to understand that most people are just too lazy for real security, which is why the common answer to your question is "disable the security check" If you were afraid of losing the key to your house, would the solution be to remove the lock from the door? Metaphorically speaking, that is what you did by disabling the signature check Oh, and just blindly installing some rpm containing keys, and then trusting everything signed by those keys can be likened to handing out the key to your house to anyone who asks for it.
On 10/23/06, Anders Johansson <andjoh@rydsbo.net> wrote:
On Monday 23 October 2006 13:34, Duff Mckagan wrote:
Thanks. But what are the disadvantages of not checking signatures?
No evidence of origin.
Viruses, trojans, backdoors, spyware, if just one of the servers you use to install from gets hacked, you will install whatever the hackers put your way. With signature checking, this wouldn't happen.
But over the past couple of years I've come to understand that most people are just too lazy for real security, which is why the common answer to your question is "disable the security check"
If you were afraid of losing the key to your house, would the solution be to remove the lock from the door? Metaphorically speaking, that is what you did by disabling the signature check
Oh, and just blindly installing some rpm containing keys, and then trusting everything signed by those keys can be likened to handing out the key to your house to anyone who asks for it.
Thanks. Nice explanation there. Now I realize that it was certainly not a good idea. Well..i solved the problem by using the --no-checksig option with apt for just one RPM. And I was quite surprised that the package that didn't have the signature was Kynaptic and not some odd software. I have the following line added to my /etc/apt/sources.list Could it be problematic? rpm http://ftp4.gwdg.de/pub/linux/suse/apt SuSE/10.0-i386 wine rpmkeys base java update-drpm update-prpm update extra kde samba3 suser-agirardet suser-liviudm suser-rbos suser-crauch suser-jengelh suser-oc2pus suser-guru suser-gbv usr-local-bin suser-tcousin suser-scorot suser-scrute suser-jogley kolab packman packman-i686 kraxel suse-people kde3-stable security-prpm security --
Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Monday 23 October 2006 13:34, Duff Mckagan wrote:
On 10/23/06, Duff Mckagan <mckagan@gmail.com> wrote:
On 10/23/06, Ed Harrison <eharrison@tampabay.rr.com> wrote:
** Reply to message from Duff Mckagan <mckagan@gmail.com> on Mon, 23 Oct 2006 13:41:39 +0530
I cannot install some softwares. The reason being ..the packages are unsigned!!
How do I install unsigned packages with apt-get?
Go to /etc/apt/conf.d and edit the file "gpg-checker.conf" by adding the line "GPG::Check no;"
This stop checking signatures. There are also some packages available that start "rpmkeys" that provide the signatures.
Thanks. But what are the disadvantages of not checking signatures? I hear the packages will never get updated if they don't have signatures or something like that...
I think you heard wrong. You just need to permit the installation with the --no-ch switch. But better install the signatures aka rpmkeys.
Also, while installing some packages, I get an error saying that some packages are not "installable".
For example, I tried installing FrostWire and it gave me the following errors.
OPPERSKULL:~ # apt-get install FrostWire Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming.
Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation:
The following packages have unmet dependencies: FrostWire: Depends: bsh2 but it is not installable Depends: icu4j but it is not installable Depends: jakarta-commons-net but it is not installable Depends: jmdns but it is not installable E: Broken packages
That means apt couldn't find the packages mentioned, i.e. bsh2, icu4j, jakarta-commons-net, and jmdns. You need to find a repository for your SUSE version that has those packages, and add that repository to /etc/apt/sources.list. Then try again, and hopefully all needed packages can be found. Cheers, Leen
Leendert Meyer wrote:
On Monday 23 October 2006 13:34, Duff Mckagan wrote:
Thanks. But what are the disadvantages of not checking signatures? I hear the packages will never get updated if they don't have signatures or something like that...
I think you heard wrong. You just need to permit the installation with the --no-ch switch. But better install the signatures aka rpmkeys.
On 10.0, I have problems with the installation of the Packman keys. The vendor and release attributes of some keys are different than expected with the RPMDB declaration in the /usr/lib/rpm/gnupg/*.asc files. Then apt4rpm tried to import them every time anew and aborted at the first error. The error is mentioned durign apt-get upgrade. I repaired the problem locally by patching the *.asc files. I always wanted to trace that problem, but didn't have the time to invest -- I mentioned it on the packman list, but there the rpmkeys maintainer cannot reproduce my situation. Just in case that you stumble over this error yourself. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On 10/26/06, Joachim Schrod <jschrod@acm.org> wrote:
On 10.0, I have problems with the installation of the Packman keys.
The vendor and release attributes of some keys are different than expected with the RPMDB declaration in the /usr/lib/rpm/gnupg/*.asc files. Then apt4rpm tried to import them every time anew and aborted at the first error. The error is mentioned durign apt-get upgrade.
I repaired the problem locally by patching the *.asc files. I always
wanted to trace that problem, but didn't have the time to invest -- I mentioned it on the packman list, but there the rpmkeys maintainer cannot reproduce my situation.
Just in case that you stumble over this error yourself.
What is the error that you got exactly? I ran apt-get dist-upgrade decently and ran into a horde of problems. Well..I will be glad to know how can we patch .asc files? --
Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Duff Mckagan wrote:
On 10/26/06, Joachim Schrod <jschrod@acm.org> wrote:
On 10.0, I have problems with the installation of the Packman keys.
The vendor and release attributes of some keys are different than expected with the RPMDB declaration in the /usr/lib/rpm/gnupg/*.asc files. Then apt4rpm tried to import them every time anew and aborted at the first error. The error is mentioned durign apt-get upgrade.
I repaired the problem locally by patching the *.asc files. I always wanted to trace that problem, but didn't have the time to invest -- I mentioned it on the packman list, but there the rpmkeys maintainer cannot reproduce my situation.
Just in case that you stumble over this error yourself.
What is the error that you got exactly?
That "apt install rpmkey-packman" does not import all keys from that package. When one runs "apt upgrade", it tells that it detects that, tries to import it again, fails, and aborts at the first failure. Of course, when a package is signed with one of the missing keys, apt bails out when you want to install or update that package. One can then import the missing GPG keys (preferable) or use --no-checksig with apt. Btw, the technical observation of my problem is fully described in the second paragraph cited above.
I ran apt-get dist-upgrade decently and ran into a horde of problems.
I doubt that this has something to do with it. It doesn't disturb any other installation besides those where the GPG keys are missing.
Well..I will be glad to know how can we patch .asc files?
One -- checks with rpm -qa 'gpg-pubkey*' which keys are imported and compares them to the IDs in the *.asc files. (RPMDB declaration in the first line.) -- imports missing *.asc files and checks if they have been really imported with the expected name. -- If not, one does a grep on the imported keys with the release attribute; if one finds that, the vendor attribute in the RPMDB declaration is probably inconsistent -- patches the vendor attribute in the problematic *.asc files. But as I wrote, this GPG keys issue is very unlikely to cause your problems. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
participants (4)
-
Anders Johansson -
Duff Mckagan -
Joachim Schrod -
Leendert Meyer