8

Example (Using Debian Wheezy):

sudo apt-get source hello

Result:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 705 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (dsc) [1287 B]
Get:2 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (tar) [697 kB]
Get:3 http://ftp.us.debian.org/debian/ testing/main hello 2.8-3 (diff) [6598 B]                                                               
Fetched 705 kB in 8s (80.6 kB/s)                                                                                                              
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error
gpgv: Signature made Wed Feb 13 10:30:20 2013 UTC using RSA key ID 9F1B8B32
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./hello_2.8-3.dsc
dpkg-source: info: extracting hello in hello-2.8
dpkg-source: info: unpacking hello_2.8.orig.tar.gz
dpkg-source: info: unpacking hello_2.8-3.debian.tar.gz

The dpkg-dev and debian-keyring package is already installed.

I tried running apt-get source as user, as root, used "gpg --recv-keys 9F1B8B32" beforehand as user and as root. Nothing helped to get the downloaded sources verified.

How can I get rid of this "dpkg-source: warning: failed to verify signature" warning?

user28464
  • 81

4 Answers4

10

do

apt-get install debian-keyring

to install all debian developer keyrings. It would check after that.

Matija Nalis
  • 2,721
2

It is debian-keyring you want (the .dsc file being checked is signed by the maintainer) but installing debian-keyring still leaves some plumbing to be done to make gpg consider the developer keys (automatically considering them would be a can of worms, which is presumably why the plumbing isn't done as part of post-install).

If it's a one-off, recheck the .dsc after the fetch using:

gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify *.dsc

If you'll be grabbing several, add:

keyring /usr/share/keyrings/debian-maintainers.gpg

to your ~/.gnupg/gpg.conf; from then on, gpg (and gpgv) will consider the developer/maintainer keys for signature verification. (If you're paranoid, you could use /usr/share/keyrings/debian-keyring.gpg which includes full developers but not maintainers.)

Neither approach will make the keys be considered valid, but that's probably what you want — if you obtained debian-keyring with a sanely configured apt-get/aptitude and that package's signature was checked, you can have reasonable confidence that the keys in there really belong to the developers/maintainers.

ZakW
  • 323
0

The important detail missing here is that you need the keyring from sid, not the keyring from stable, because only sid's keyring carries all the developers. Notice the /sid in next line:

apt-get install debian-keyring/sid

To get sid you usually need a line like following in /etc/apt/source.list:

deb http://http.debian.net/debian/ sid main

(And don't forget to apt-get update afterwards.)

But beware! If sid sits in your sources.list your system tends to morph into sid against your will. To prevent that, add a line to /etc/apt/apt.conf which looks like:

APT::Default-Release "stable";

(There are gazillions of other ways to prevent sid, this one is the most easy one I know.)

Notes:

  • Clue to this solution was found at http://debian.distrosfaqs.org/debian-user/signature-of-wheezys-linux-source-package/
  • Before I found this I stumbled upon thousands of pages telling you to simply fetch the missing key from a keyserver: Never do such a stupid thing to verify a signature! If a MitM was able to send you a faked package, the same one is able to send you a faked answer of the keyserver as well. Hence a key pulled from a keyserver just is plain snakeoil. (And in a security context believing in "snakeoil" is the probably most stupid thing you can do.)
Tino
  • 1,246
0

Judging from "gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error" line, you must be running into gpg's bug. In the end apt-get source runs gpg with --no-option switch. Which fails if no homedir (~/.gnupg) exists. One can remedy this with: gpg -k. More details here.

Community
  • 1
x-yuri
  • 347