Authenticate Packages - Stop Warning

RHTopics · posted: 2009-02-21 18:18

I am trying to fix my antiX M8 installation to properly authenticate packages and not get the following message when using APT to upgrade or install a package:

WARNING: The following packages cannot be authenticated!

Here is my /etc/apt/sources.list:

Code: Select all

# See sources.list(5) for more information
# updated: 02/19/2009 - converted to lenny (aka stable)

#Mepis8
deb ftp://ftp.mepis.com/mepis/ mepis-8.0 main 

# Debian
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free 
#deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free 

deb http://security.debian.org/ lenny/updates main contrib non-free 
 
# mplayer
#deb http://www.debian-multimedia.org etch main
deb http://www.debian-multimedia.org lenny main

# wicd
deb http://apt.wicd.net debian extras

# other commented out repositories 
# --------------------------------

#opera
#deb http://deb.opera.com/opera/ lenny non-free

#virtualbox
#deb http://download.virtualbox.org/virtualbox/debian lenny non-free

# Remastersys
#deb http://www.remastersys.klikit-linux.com/repository debian/

###### Debian Unstable/Sid/sidux ##########
###### Use at your own risk! ########
#deb http://ftp.de.debian.org/debian/ unstable main contrib non-free
#deb http://www.debian-multimedia.org unstable main
#deb http://sidux.com/debian/ sid main contrib non-free firmware fix.main fix.contrib fix.non-free

I removed all the unused keys and removed/re-added the keys for:

Code: Select all

deb http://apt.wicd.net debian extras
deb http://www.debian-multimedia.org lenny main
deb ftp://ftp.mepis.com/mepis/ mepis-8.0 main

Here is the output from doing an"apt-key list":

Code: Select all

/etc/apt/trusted.gpg
--------------------
pub   1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
uid                  Lenny Stable Release Key <debian-release@lists.debian.org>

pub   2048R/6D849617 2009-01-24 [expires: 2013-01-23]
uid                  Debian-Volatile Archive Automatic Signing Key (5.0/lenny)

pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid                  Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>

pub   1024D/ADB11277 2006-09-17
uid                  Etch Stable Release Key <debian-release@lists.debian.org>

pub   1024D/BBE55AB3 2007-03-31 [expires: 2010-03-30]
uid                  Debian-Volatile Archive Automatic Signing Key (4.0/etch)
sub   2048g/36CA98F3 2007-03-31 [expires: 2010-03-30]

pub   4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
uid                  Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>

pub   1024D/B8C0755A 2008-09-13
uid                  Adam Blackburn <compwiz18@gmail.com>
sub   2048g/CF3C3262 2008-09-13

pub   1024D/1F41B907 1999-10-03
uid                  Christian Marillat <marillat@debian.org>
uid                  Christian Marillat <marillat@free.fr>
sub   1536g/C28DCC42 1999-10-03
sub   1024D/5D3877A7 2002-08-26

pub   1024D/1A77B3E9 2005-10-29 [expires: 2011-01-22]
uid                  Warren Woodford (MEPIS Maintainers) <dev@mepis.org>

I have done apt-key update, apt-get update, and apt-get dist-upgrade commands in a effort to remove the warning message. No luck so far.

Is there way to get the system to properly authenticate the packages?

Thanks

RHTopics

RHTopics · posted: 2009-03-01 15:08

No response received for this posting.

Does that mean everyone using antiX receives the authentication warning message when updating or installing packages? And there is no apparent way to solve it?

dark-D · posted: 2009-03-01 16:41

i get them all the time. don't know about the others, i guess is ok to see the message.

plvera · posted: 2009-03-01 17:41

I get them too. Since I haven't had a problem with the installed apps, I haven't worried about the message.

RHTopics · posted: 2009-03-01 19:17

Here is my attempt to summarize what it means.

The warning comes from not being able to verify the contents of the release file. The release file along with the packages file contains checksums for validating downloaded packages. In essence, the provided checksums can not be ulitmately trusted for the mechanism setup to provide this trust is not working properly. The downloaded packages may match the checksums you have been provided, but the APT system can not verify the checksums are secure and not from a nefarious source.

In the vast majority of cases, the packages you have downloaded are good and do not contain"malware". But this first level of security provided by APT is not there to provide that extra validation assurance.

Here is a link to Debian's wiki page for information:

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://wiki.debian.org/SecureApt"
linktext was:"http://wiki.debian.org/SecureApt"
====================================

anticapitalista · posted: 2009-03-01 19:22

I think you'll find that it is the MEPIS repo (and maybe wicd) that is causing the authenticate packages warning.

As a test, disable MEPIS repo and see if you get the warnings

RHTopics · posted: 2009-03-01 21:31

I stripped things down to the"bare metal" and I still got the warning message when using apt to download and install a package from the debian repository.

I commented out everything in /etc/apt/sources.list except for the following:

Code: Select all

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free 
deb http://security.debian.org/ lenny/updates main contrib non-free

Removed all files from /var/lib/apt/lists and then did an apt-get update to re-download them. This is what I had in that directory:

Code: Select all

ftp.us.debian.org_debian_dists_lenny_Release
ftp.us.debian.org_debian_dists_lenny_Release.gpg
ftp.us.debian.org_debian_dists_lenny_contrib_binary-i386_Packages
ftp.us.debian.org_debian_dists_lenny_main_binary-i386_Packages
ftp.us.debian.org_debian_dists_lenny_non-free_binary-i386_Packages
lock
partial
security.debian.org_dists_lenny_updates_Release
security.debian.org_dists_lenny_updates_Release.gpg
security.debian.org_dists_lenny_updates_contrib_binary-i386_Packages
security.debian.org_dists_lenny_updates_main_binary-i386_Packages
security.debian.org_dists_lenny_updates_non-free_binary-i386_Packages

Did an"apt-key update" just to make sure the public keys were unchanged. They were no updates made.

Then I had a thought maybe it is the setting of the"allow unauthenticated" in /etc/apt/apt.conf that was source of the problem. So I changed:

from: APT::Get::AllowUnauthenticated 1;

to: APT::Get::AllowUnauthenticated 0;

Did another package download and install using"apt-get install" and that did it, no more warning message.

Uncommented the repositories one at time, doing an apt-get update each time, and it has continued to work without getting the warning message.

So the setting of APT::Get::AllowUnauthenticated to 1 will give a warning message even though there was really nothing to warn about.

anticapitalista · posted: 2009-03-01 21:37

Well I'm glad you got that worked out. well done.

I suppose the default should be APT::Get::AllowUnauthenticated 0;
but I think the reason why it isn't/wasn't was because MEPIS didn't/(doesn't?) use the keys.

RHTopics · posted: 2009-03-01 23:01

You are right about MEPIS in the past not providing a public key for their packages.

They do now, though their public key included in the installation of antiX M8 has expired and will need to be updated. I got their new one from:

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.mepis.org/docs/en/index.php/MEPIS_key"
linktext was:"http://www.mepis.org/docs/en/index.php/MEPIS_key"
====================================

Doing an"apt-key list" after adding the new MEPIS key looks like:

Code: Select all

pub   1024D/1A77B3E9 2005-10-29 [expires: 2011-01-22]
uid                  Warren Woodford (MEPIS Maintainers) <dev@mepis.org>

The previous one I believed expired this January.

anticapitalista · posted: 2009-03-01 23:06

Thanks for that. The next release of antiX will have this fixed.

I'll make the solutions you found a sticky sometime tomorrow. (It is late here)