36

I'm using Ubuntu 9.10, and need to add some apt repositories. Unfortunately, I get messages like this when running sudo apt-get update:

W: GPG error: http://ppa.launchpad.net karmic Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A9BF3BB4E5E17B5
W: GPG error: http://ppa.launchpad.net karmic Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1DABDBB4CEC06767

So, I need to install the keys for these repositories. Under 9.10 we now have the option to do this:

sudo add-apt-repository ppa:nvidia-vdpau/ppa

See this Ubuntu help article for details.

This is great, except that I'm running this on a workstation behind a firewall which blocks outbound connections to pretty much all ports except those required by secretaries running Windows and IE.

The port in question here is the hkp service, port 11371.

There appear to be ways to manually download keys and install them on apt's keyring. There may even be a way to use add-apt-repository or wget or something to download a key from an alternative server making it available on port 80.

However, I haven't yet found a concise set of steps for doing so. What I'm looking for is:

  1. How to find a public key for an apt-package (recommendations for resources which have these, and/or tips for searching. Searching for the key hash doesn't seem all that effective so far.)
  2. How to retrieve a key (can it be done automatically using gpg or add-apt-repository?)
  3. How to add a key to apt's keyring

Thanks in advance.

Kief
  • 753

9 Answers9

39

This has been fixed in the upcoming Natty version of Ubuntu: https://launchpad.net/ubuntu/natty/+source/software-properties/0.78.1

Those using an older version need to edit ppa.py:

sudo gedit /usr/lib/python2.6/dist-packages/softwareproperties/ppa.py

Where it says:

keyserver.ubuntu.com

change to:

hkp://keyserver.ubuntu.com:80

Save, exit, then you're hopefully good to go.

Gareth
  • 19,080
Phil Bradley
  • 391
19
sudo apt-key adv --keyserver keyserver.ubuntu.com --keyserver-options http-proxy=http://proxy:port --recv-keys KEYID
Gareth
  • 19,080
user46707
  • 191
13

Here's one workaround I used:

I logged onto a linux server out in the free world beyond our corporate firewall, and did this:

gpg --keyserver keyserver.ubuntu.com --recv 1DABDBB4CEC06767 && gpg --export --armor 1DABDBB4CEC06767

Then on my workstation, I ran this, and pasted the output from the above command (the public key) into the stdin, followed by control-D:

sudo apt-key add -

Then I was able to run sudo apt-get update without problems.

I still think there has to be a better way, ideally something I could script.

Kief
  • 753
8

I have another workaround here which might be handy if you can't find another linux server outside your network as proxy. Just send an email to "pgp-public-keys@pgp.mit.edu" like subject as "get 0x1DABDBB4CEC06767". But you probably still can't write a simple script to automate this.

Roger Choi
  • 81
5

You could go to the web site of the keyserver, e.g. http://wwwkeys.eu.pgp.net/ Search for the key signature (you need to add 0x to the hex signature) i.e. 0x1DABDBB4CEC06767.

Click on the link you'll hopefully get and paste the text into a file on the machine, i.e.

cat > <filename>

[PASTE]

[Ctrl-C]

Then 

apt-key add <filename>

This worked fine for me; it appears my work proxy blocks a lot of "non-standard" ports.

CJBrew
  • 221
4

I found a neat way of doing it in a single command through port 80 which is always open for www traffic.

http://gurrier.wordpress.com/2010/10/02/downlolading-repo-keys-from-behind-a-corporate-firewall/

tony
  • 49
2

A simple solution is:

sudo add-apt-repository --keyserver hkps://keyserver.ubuntu.com:443 some_ppa

The secure https (outgoing 443) would not be blocked by the firewall.

Thien Pham
  • 21
1

I simply use ssh to forward the port to an external host then run the apt-add-repo command.

ssh -fqTnN -D 11371 <user@host>
Gareth
  • 19,080
Thermionix
  • 871
-1

I had the same issue with gpg. The workaround with adding the port to the server name worked by editing my ~/.gnupg/gpg.conf file. However, I'm still going to ask our sysadmin to open outbound port 11371, so I don't have to worry about this again.

TFM
  • 4,273
Patrick Salami
  • 99