One of the common problems I have when configuring a new server is that I need to install packages I maintain on deb.erianna.com, my personal APT repository. Since I use an ECC signing key , I need to have GNUPG modern installed for my signing key to be recognized by apt. Since Ubuntu is still shipping gnupg2 <= 2.0.x, I've generally had to do this manually, which is a real nusiance as GNUPG2 has several apt dependencies.
Fortunatly, this process can be automated via apt thanks to the
--allow-unauthenticated option as outlined below. Obviously, once my GNUPG2 package is installed, all future updates are verified against my ECC key. Fortunatly, the whole script can now be automated by running the following script:
Install the debian repository
sudo sh -c 'echo "deb https://deb.erianna.com $(lsb_release -cs) main" > /etc/apt/sources.list.d/deb.erianna.com.list'
Install secure https transport for apt
sudo apt-get install apt-transport-https
Upgrade gnupg2 to 2.1.x for ECC key support
sudo apt-get --allow-unauthenticated update sudo apt-get --allow-unauthenticated install gnupg2 -y
Download ECC key from Keybase
wget --quiet -O - https://keybase.io/charlesportwood/key.asc | sudo apt-key add -
Update to verify packages can be downloaded and authenticated
sudo apt-get update ```
How are packages authenticated?
Packages from my APT repository are authenticated over HTTPS via a LetsEncrypt X1 certificate. This certificate changes every 60 days or so automatically for security purposes. Since a separate GNUPG2 package is required, this is the most secure way to deliver these packages over apt.
After you install the GNUPG2 package, you can verify the signature APT downloaded by running
apt-cache show gnupg2. Note that these signatures may change over time as the package is updated.
Separately, the parent ECC signing key I use is available on Keybase. My identity can be valiated at