Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Joel Rees wrote: On Fri, Apr 18, 2014 at 1:02 AM, Richard Owlett rowl...@cloud85.net mailto:rowl...@cloud85.net wrote: Joel Rees wrote: On Wed, Apr 16, 2014 at 11:49 PM, Richard Owlett rowl...@cloud85.net mailto:rowl...@cloud85.net mailto:rowl...@cloud85.net mailto:rowl...@cloud85.net wrote: Richard Owlett wrote: [SNIP] [...] root@debian:/home/richard# apt-get install pforth pforth? Mind if I ask why? *LOL* not the part of my post for which I expected a comment. Primarily I needed an easily remembered package that wouldn't be on any of my test installs. I've been interested in FORTH since CPM-80 days. [...] The reason I ask is that doing an apt-get source or install of gforth does not produce any complaints about unrecognized signatures. I wonder why Garbee would have signed pforth himself. I only looked a little ways around, but the key does seem to be his. Maybe it has to do with where pforth is hosted. Did you get similar complaints from anything else? Yes. When I did a spot check to confirm Andrei's suggestion re /etc/apt/apt.conf.d/00trustcdrom APT::Authentication::TrustCDROM true; I saw the problem installing ed. I was using Squeeze 6.0.5 for my tests. I have (but not yet installed) Wheezy 7.1 DVDs. I have a laptop set aside for potentially destructive self education. It's very cluttered at the moment. I plan to repartition and reinstall everything this weekend. I'll then have a test platform for both Squeeze and Wheezy. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53525797.1050...@cloud85.net
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Andrei POPESCU wrote: On Vi, 18 apr 14, 11:08:42, Richard Owlett wrote: Andrei POPESCU wrote: On Jo, 17 apr 14, 11:15:00, Richard Owlett wrote: Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. /etc/apt/apt.conf.d/00trustcdrom: APT::Authentication::TrustCDROM true; Changing that true to false makes loading from the physical DVDs act the same as loading from the loop mounted ISO images. Not elegant nor 'satisfactory', but at least consistent. Is there some documentation on signing aimed at the end-user rather than package creators. I know I'm missing something - just don't know what ;/ Here's what I use: #!/bin/sh # This part generates the minimum necessary files # for an apt repository. # Assumptions: # - this script is run in the directory with packages # - apt-ftparchive is installed (package apt-utils) # - you have a GPG key (the default key is used) # apt seems to require both, even if only one is used apt-ftparchive packages ./ Packages apt-ftparchive packages ./ | gzip Packages.gz apt-ftparchive release ./ Release sudo -u amp gpg --armor --detach-sign --sign --output Release.gpg Release # a sources.list line should look like this # deb file:/directory/with/debs ./ Hope this helps, Andrei Yes - but probably not in the way you expected ;) I started deciphering what your script with aid of man pages. Thus found reference to GNU Privacy Guard. In my reading I had seen lots of abbreviations and acronyms - but never that title *ROFL* What I'm looking for will be one of the many HOWTO's on that subject. Looks like I have at least a week's worth of reading to do. Thank you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53528814.5000...@cloud85.net
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
On Jo, 17 apr 14, 11:15:00, Richard Owlett wrote: Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. /etc/apt/apt.conf.d/00trustcdrom: APT::Authentication::TrustCDROM true; Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
On Fri, Apr 18, 2014 at 11:39:35AM +0300, Andrei POPESCU wrote: On Jo, 17 apr 14, 11:15:00, Richard Owlett wrote: Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. /etc/apt/apt.conf.d/00trustcdrom: APT::Authentication::TrustCDROM true; What the man said. apt uses 'clever' hack to workaround this in case you're using cdrom: entry in sources.list. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140418125402.GA26676@x101h
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
On Fri, Apr 18, 2014 at 1:02 AM, Richard Owlett rowl...@cloud85.net wrote: Joel Rees wrote: On Wed, Apr 16, 2014 at 11:49 PM, Richard Owlett rowl...@cloud85.net mailto:rowl...@cloud85.net wrote: Richard Owlett wrote: [SNIP] [...] root@debian:/home/richard# apt-get install pforth pforth? Mind if I ask why? *LOL* not the part of my post for which I expected a comment. Primarily I needed an easily remembered package that wouldn't be on any of my test installs. I've been interested in FORTH since CPM-80 days. [...] The reason I ask is that doing an apt-get source or install of gforth does not produce any complaints about unrecognized signatures. I wonder why Garbee would have signed pforth himself. I only looked a little ways around, but the key does seem to be his. Maybe it has to do with where pforth is hosted. Did you get similar complaints from anything else? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Andrei POPESCU wrote: On Jo, 17 apr 14, 11:15:00, Richard Owlett wrote: Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. /etc/apt/apt.conf.d/00trustcdrom: APT::Authentication::TrustCDROM true; Changing that true to false makes loading from the physical DVDs act the same as loading from the loop mounted ISO images. Not elegant nor 'satisfactory', but at least consistent. Is there some documentation on signing aimed at the end-user rather than package creators. I know I'm missing something - just don't know what ;/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53514e0a.6040...@cloud85.net
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
On Vi, 18 apr 14, 11:08:42, Richard Owlett wrote: Andrei POPESCU wrote: On Jo, 17 apr 14, 11:15:00, Richard Owlett wrote: Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. /etc/apt/apt.conf.d/00trustcdrom: APT::Authentication::TrustCDROM true; Changing that true to false makes loading from the physical DVDs act the same as loading from the loop mounted ISO images. Not elegant nor 'satisfactory', but at least consistent. Is there some documentation on signing aimed at the end-user rather than package creators. I know I'm missing something - just don't know what ;/ Here's what I use: #!/bin/sh # This part generates the minimum necessary files # for an apt repository. # Assumptions: # - this script is run in the directory with packages # - apt-ftparchive is installed (package apt-utils) # - you have a GPG key (the default key is used) # apt seems to require both, even if only one is used apt-ftparchive packages ./ Packages apt-ftparchive packages ./ | gzip Packages.gz apt-ftparchive release ./ Release sudo -u amp gpg --armor --detach-sign --sign --output Release.gpg Release # a sources.list line should look like this # deb file:/directory/with/debs ./ Hope this helps, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
On Wed, Apr 16, 2014 at 11:49 PM, Richard Owlett rowl...@cloud85.netwrote: Richard Owlett wrote: [SNIP] [...] root@debian:/home/richard# apt-get install pforth pforth? Mind if I ask why? Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: pforth 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/81.2 kB of archives. After this operation, 291 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! pforth Install these packages without verification [y/N]? E: Some packages could not be authenticated Yeah. I just installed pforth via synaptic without any messages that I noticed. (Didn't check the logs. Usually, synaptic will through a GUI flag up when you try to install stuff it doesn't know how to verify.) But when I grabbed the source with apt-get source, it told me what it's telling you there. But before it told me that, it told me it couldn't find the public key for the key ID F2CF-01A8. You might want to look around the internet for that root@debian:/home/richard# find /home/richard/tst/dvd1 -name 'debian-archive-keyring_*_all.deb' /home/richard/tst/dvd1/pool/main/d/debian-archive-keyring/ debian-archive-keyring_2010.08.28_all.deb root@debian:/home/richard# dpkg -i /home/richard/tst/dvd1/pool/ main/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb (Reading database ... 116472 files and directories currently installed.) Preparing to replace debian-archive-keyring 2010.08.28 (using .../debian-archive-keyring_2010.08.28_all.deb) ... Unpacking replacement debian-archive-keyring ... Setting up debian-archive-keyring (2010.08.28) ... gpg: key F42584E6: Lenny Stable Release Key debian-release@lists.debian. org not changed gpg: key 55BE302B: Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org not changed gpg: key 6D849617: Debian-Volatile Archive Automatic Signing Key (5.0/lenny) not changed gpg: key B98321F9: Squeeze Stable Release Key debian-rele...@lists.debian.org not changed gpg: key 473041FA: Debian Archive Automatic Signing Key (6.0/squeeze) ftpmas...@debian.org not changed gpg: Total number processed: 5 gpg: unchanged: 5 This key does not seem to be a debian key? (Which raises some questions.) Anyway, the failure to authenticate is due to the missing public key. You could import the key, but you want to know how much you want to trust it before you do that. (So look around the 'net.) [...] Since I pulled down the source, I think I'll take a look at it over the weekend, see if I can tell anything from that. Maybe. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Hi. On Wed, Apr 16, 2014 at 09:49:23AM -0500, Richard Owlett wrote: root@debian:/home/richard# apt-get install pforth Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: pforth 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/81.2 kB of archives. After this operation, 291 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! pforth Install these packages without verification [y/N]? E: Some packages could not be authenticated skip root@debian:/home/richard# apt-get update Ign file: squeeze Release.gpg Note those 'Ign' records for each ISO you're using. Debian doesn't sign packages per se, they sign whole repository with usual 'public key - private key' scheme. 'debian-keyring' package provides you with public keys, and of course private keys are kept, well, private. Apt (aptitude, synaptic, whatever tool you're using) will start to complain if: 1) Repository is signed with unknown or untrusted key. See 'apt-key list' output for the list of keys you're trusting. 2) Repository is signed with an expired key. Yes, each key have a lifetime. 3) Repository isn't signed at all. IIRC Debian does not sign the repository they put on 'Official CD's at all, hence this warning you're given. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140417154813.GA6579@x101h
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Joel Rees wrote: On Wed, Apr 16, 2014 at 11:49 PM, Richard Owlett rowl...@cloud85.net mailto:rowl...@cloud85.net wrote: Richard Owlett wrote: [SNIP] [...] root@debian:/home/richard# apt-get install pforth pforth? Mind if I ask why? *LOL* not the part of my post for which I expected a comment. Primarily I needed an easily remembered package that wouldn't be on any of my test installs. I've been interested in FORTH since CPM-80 days. Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: pforth 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/81.2 kB of archives. After this operation, 291 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! pforth Install these packages without verification [y/N]? E: Some packages could not be authenticated Yeah. I just installed pforth via synaptic without any messages that I noticed. (Didn't check the logs. Usually, synaptic will through a GUI flag up when you try to install stuff it doesn't know how to verify.) Prior to this test I had used Synaptic and got the equivalent error message. For documenting my problem using command line was simpler. But when I grabbed the source with apt-get source, it told me what it's telling you there. But before it told me that, it told me it couldn't find the public key for the key ID F2CF-01A8. You might want to look around the internet for that root@debian:/home/richard# find /home/richard/tst/dvd1 -name 'debian-archive-keyring_*_all.__deb' /home/richard/tst/dvd1/pool/__main/d/debian-archive-keyring/__debian-archive-keyring_2010.__08.28_all.deb root@debian:/home/richard# dpkg -i /home/richard/tst/dvd1/pool/__main/d/debian-archive-keyring/__debian-archive-keyring_2010.__08.28_all.deb (Reading database ... 116472 files and directories currently installed.) Preparing to replace debian-archive-keyring 2010.08.28 (using .../debian-archive-keyring___2010.08.28_all.deb) ... Unpacking replacement debian-archive-keyring ... Setting up debian-archive-keyring (2010.08.28) ... gpg: key F42584E6: Lenny Stable Release Key debian-release@lists.debian.__org mailto:debian-rele...@lists.debian.org not changed gpg: key 55BE302B: Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org mailto:ftpmas...@debian.org not changed gpg: key 6D849617: Debian-Volatile Archive Automatic Signing Key (5.0/lenny) not changed gpg: key B98321F9: Squeeze Stable Release Key debian-release@lists.debian.__org mailto:debian-rele...@lists.debian.org not changed gpg: key 473041FA: Debian Archive Automatic Signing Key (6.0/squeeze) ftpmas...@debian.org mailto:ftpmas...@debian.org not changed gpg: Total number processed: 5 gpg: unchanged: 5 This key does not seem to be a debian key? (Which raises some questions.) Anyway, the failure to authenticate is due to the missing public key. You could import the key, but you want to know how much you want to trust it before you do that. (So look around the 'net.) I started with a purchased set of Squeeze (6.0.5) DVDs as I'm on dialup. I have done multiple installs with that set without this problem appearing. The only difference is creating ISO files FROM the DVDs and then loop mounting to be the repository for the apt-get command. I'll have to go find the key and instructions for using it. But that would only be a work-a-round. The ISO file is an image of a WORKING DVD. [...] Since I pulled down the source, I think I'll take a look at it over the weekend, see if I can tell anything from that. Maybe. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534ffb27.1030...@cloud85.net
Re: Repeatable apt-get WARNING: The following packages cannot be authenticated!
Reco wrote: Hi. On Wed, Apr 16, 2014 at 09:49:23AM -0500, Richard Owlett wrote: root@debian:/home/richard# apt-get install pforth Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: pforth 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/81.2 kB of archives. After this operation, 291 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! pforth Install these packages without verification [y/N]? E: Some packages could not be authenticated skip root@debian:/home/richard# apt-get update Ign file: squeeze Release.gpg Note those 'Ign' records for each ISO you're using. Debian doesn't sign packages per se, they sign whole repository with usual 'public key - private key' scheme. 'debian-keyring' package provides you with public keys, and of course private keys are kept, well, private. Apt (aptitude, synaptic, whatever tool you're using) will start to complain if: 1) Repository is signed with unknown or untrusted key. See 'apt-key list' output for the list of keys you're trusting. 2) Repository is signed with an expired key. Yes, each key have a lifetime. 3) Repository isn't signed at all. IIRC Debian does not sign the repository they put on 'Official CD's at all, hence this warning you're given. Reco Yeah BUT ;( I get NO errors or warnings when apt-get uses the physical DVDs from which the loop mounted iso's were created. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534ffe04.7070...@cloud85.net
Repeatable apt-get WARNING: The following packages cannot be authenticated!
Richard Owlett wrote: [SNIP] I will try to give enough detail that someone could duplicate what I've done. My environment: 1. Lenovo R61 ThinkPad with intentionally no network connectivity 2. 64 GB USB flash drive 3. Set of physical install DVDs (Debian 6.0.5 was all available when I started) 4. A reasonably typical install of Squeeze using Gnome2 DE My procedure: 1. Copy DVD 1 of 8 to beginning of flash drive using dd 2. Create an ext2 partition on remainder of drive using Gparted, labeling it squeeze_dvds 3. Copy each of the 8 DVDs to that partition using dd I now have files dvd1.iso thru dvd8.iso on that partition. 4. Create mount points with mkdir /home/richard/tst/dvd1 thru mkdir /home/richard/tst/dvd8 5. Loop mount the files with mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd1.iso /home/richard/tst/dvd1 thru mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd8.iso /home/richard/tst/dvd8 6. Replace contents of /etc/apt/sources.list with deb file:/home/richard/tst/dvd1 squeeze contrib main thru deb file:/home/richard/tst/dvd7 squeeze contrib main deb file:/home/richard/tst/dvd8 squeeze main NOTE - {no contrib files exist on last DVD} 7. In Synaptic type Ctrl+R to reload package information 8. Install desired additional packages *UNRESOLVED PROBLEM* When marking a package as to install, a warning message is triggered saying the package cannot be authenticated. I don't understand. I assumed that by copying with dd all relevant information would be available. Google search not very useful. Lots of hits on the general structure of repositories and creating personally signed private repositories. Only fount one hit relevant to diagnosing error message when repository is apparently fully legitimate clone of official repo. I found a thread titled How to use the debian installation iso for installing packages using aptitude. The relevant diagnostic suggestions began near end of https://lists.debian.org/debian-user/2013/08/msg00554.html . I found no indication that the problem was ever resolved. Suggestions please. Below is transcript of following suggestions from that and subsequent posts. *NOTE* I've inserted blank lines to make it more readable root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd1.iso /home/richard/tst/dvd1 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd2.iso /home/richard/tst/dvd2 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd3.iso /home/richard/tst/dvd3 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd4.iso /home/richard/tst/dvd4 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd5.iso /home/richard/tst/dvd5 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd6.iso /home/richard/tst/dvd6 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd7.iso /home/richard/tst/dvd7 root@debian:/home/richard# mount -t iso9660 -o ro,loop /media/squeeze_dvds/dvd8.iso /home/richard/tst/dvd8 root@debian:/home/richard# apt-get install pforth Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: pforth 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/81.2 kB of archives. After this operation, 291 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! pforth Install these packages without verification [y/N]? E: Some packages could not be authenticated root@debian:/home/richard# find /home/richard/tst/dvd1 -name 'debian-archive-keyring_*_all.deb' /home/richard/tst/dvd1/pool/main/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb root@debian:/home/richard# dpkg -i /home/richard/tst/dvd1/pool/main/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb (Reading database ... 116472 files and directories currently installed.) Preparing to replace debian-archive-keyring 2010.08.28 (using .../debian-archive-keyring_2010.08.28_all.deb) ... Unpacking replacement debian-archive-keyring ... Setting up debian-archive-keyring (2010.08.28) ... gpg: key F42584E6: Lenny Stable Release Key debian-rele...@lists.debian.org not changed gpg: key 55BE302B: Debian Archive Automatic Signing Key (5.0/lenny) ftpmas...@debian.org not changed gpg: key 6D849617: Debian-Volatile Archive Automatic Signing Key (5.0/lenny) not changed gpg: key B98321F9: Squeeze Stable Release Key debian-rele...@lists.debian.org not changed gpg: key 473041FA: Debian Archive Automatic Signing Key (6.0/squeeze) ftpmas...@debian.org not changed gpg: Total number processed: 5 gpg: unchanged: 5 root@debian:/home/richard# dpkg --status debian-archive-keyring Package: