why do ubuntu open source packages have gpg key?
Clash Royale CLAN TAG#URR8PPP up vote
1
down vote
favorite
I understand that gpg keys are for "signing" your data as mentioned on their website (https://www.gnupg.org/)
But why then do some open source packages require me to install a gpg key? What is this protecting against?
Thank you.
16.04 apt gnupg
asked May 4 at 18:02
simplename
366
add a comment |Â
up vote
1
down vote
favorite
I understand that gpg keys are for "signing" your data as mentioned on their website (https://www.gnupg.org/)
But why then do some open source packages require me to install a gpg key? What is this protecting against?
Thank you.
16.04 apt gnupg
asked May 4 at 18:02
simplename
366
Could you provide an example?
– danzel
May 4 at 18:44
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
1
Part of security. Google apt debian security
– Panther
May 4 at 18:56
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I understand that gpg keys are for "signing" your data as mentioned on their website (https://www.gnupg.org/)
But why then do some open source packages require me to install a gpg key? What is this protecting against?
Thank you.
16.04 apt gnupg
asked May 4 at 18:02
simplename
366
I understand that gpg keys are for "signing" your data as mentioned on their website (https://www.gnupg.org/)
But why then do some open source packages require me to install a gpg key? What is this protecting against?
Thank you.
16.04 apt gnupg
asked May 4 at 18:02
simplename
366
asked May 4 at 18:02
simplename
366
asked May 4 at 18:02
simplename
366
asked May 4 at 18:02
simplename
366
366
Could you provide an example?
– danzel
May 4 at 18:44
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
1
Part of security. Google apt debian security
– Panther
May 4 at 18:56
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48
add a comment |Â
Could you provide an example?
– danzel
May 4 at 18:44
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
1
Part of security. Google apt debian security
– Panther
May 4 at 18:56
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48
Could you provide an example?
– danzel
May 4 at 18:44
Could you provide an example?
– danzel
May 4 at 18:44
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
1
1
Part of security. Google apt debian security
– Panther
May 4 at 18:56
Part of security. Google apt debian security
– Panther
May 4 at 18:56
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
It's protecting the package against tampering. The installer verifies that the package signature is valid and made by one of the keys you have configured your system to trust.
When you add a key with apt-key you trust that key to authenticate software. This means that a third party can not supply you a modified package - it validates that the package is made by whoever controls the corresponding private key.
This means that you don't have to trust whoever operates a Ubuntu mirror; you can verify that they are not supplying malware, because they would not be able to sign a package with a key that you trust.
answered May 4 at 18:45
vidarlo
7,12342140
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
It's protecting the package against tampering. The installer verifies that the package signature is valid and made by one of the keys you have configured your system to trust.
When you add a key with apt-key you trust that key to authenticate software. This means that a third party can not supply you a modified package - it validates that the package is made by whoever controls the corresponding private key.
This means that you don't have to trust whoever operates a Ubuntu mirror; you can verify that they are not supplying malware, because they would not be able to sign a package with a key that you trust.
answered May 4 at 18:45
vidarlo
7,12342140
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
add a comment |Â
up vote
3
down vote
It's protecting the package against tampering. The installer verifies that the package signature is valid and made by one of the keys you have configured your system to trust.
When you add a key with apt-key you trust that key to authenticate software. This means that a third party can not supply you a modified package - it validates that the package is made by whoever controls the corresponding private key.
This means that you don't have to trust whoever operates a Ubuntu mirror; you can verify that they are not supplying malware, because they would not be able to sign a package with a key that you trust.
answered May 4 at 18:45
vidarlo
7,12342140
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
add a comment |Â
up vote
3
down vote
up vote
3
down vote
It's protecting the package against tampering. The installer verifies that the package signature is valid and made by one of the keys you have configured your system to trust.
When you add a key with apt-key you trust that key to authenticate software. This means that a third party can not supply you a modified package - it validates that the package is made by whoever controls the corresponding private key.
This means that you don't have to trust whoever operates a Ubuntu mirror; you can verify that they are not supplying malware, because they would not be able to sign a package with a key that you trust.
answered May 4 at 18:45
vidarlo
7,12342140
It's protecting the package against tampering. The installer verifies that the package signature is valid and made by one of the keys you have configured your system to trust.
When you add a key with apt-key you trust that key to authenticate software. This means that a third party can not supply you a modified package - it validates that the package is made by whoever controls the corresponding private key.
This means that you don't have to trust whoever operates a Ubuntu mirror; you can verify that they are not supplying malware, because they would not be able to sign a package with a key that you trust.
answered May 4 at 18:45
vidarlo
7,12342140
answered May 4 at 18:45
vidarlo
7,12342140
answered May 4 at 18:45
vidarlo
7,12342140
answered May 4 at 18:45
vidarlo
7,12342140
7,12342140
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
add a comment |Â
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
do you mean "that you don't trust" at the end?
– simplename
May 9 at 0:43
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
No, they would not be able to sign with a key that you do trust.
– vidarlo
May 9 at 5:23
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1032098%2fwhy-do-ubuntu-open-source-packages-have-gpg-key%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Could you provide an example?
– danzel
May 4 at 18:44
wiki.ros.org/kinetic/Installation/Ubuntu
– simplename
May 4 at 18:56
1
Part of security. Google apt debian security
– Panther
May 4 at 18:56
wiki.debian.org/Apt#security
– Panther
May 4 at 20:48