Easily add to your APT list file

February 8th, 2016 @ 17:50 Ubuntu Packages

One of the common problems I have when configuring a new server is that I need to install packages I maintain on, my personal APT repository. Since I use an ECC signing key , I need to have GNUPG modern installed for my signing key to be recognized by apt. Since Ubuntu is still shipping gnupg2 <= 2.0.x, I've generally had to do this manually, which is a real nusiance as GNUPG2 has several apt dependencies.

Fortunatly, this process can be automated via apt thanks to the --allow-unauthenticated option as outlined below. Obviously, once my GNUPG2 package is installed, all future updates are verified against my ECC key. Fortunatly, the whole script can now be automated by running the following script:


Install the debian repository

sudo sh -c 'echo "deb $(lsb_release -cs) main" > /etc/apt/sources.list.d/'

Install secure https transport for apt

sudo apt-get install apt-transport-https

Upgrade gnupg2 to 2.1.x for ECC key support

sudo apt-get --allow-unauthenticated update sudo apt-get --allow-unauthenticated install gnupg2 -y

ldconfig gpg2

sudo ldconfig

Download ECC key from Keybase

wget --quiet -O - | sudo apt-key add -

Update to verify packages can be downloaded and authenticated

sudo apt-get update ```

How are packages authenticated?

Packages from my APT repository are authenticated over HTTPS via a LetsEncrypt X1 certificate. This certificate changes every 60 days or so automatically for security purposes. Since a separate GNUPG2 package is required, this is the most secure way to deliver these packages over apt.

After you install the GNUPG2 package, you can verify the signature APT downloaded by running apt-cache show gnupg2. Note that these signatures may change over time as the package is updated.

Separately, the parent ECC signing key I use is available on Keybase. My identity can be valiated at