All of the key-servers I visit are timing out. I need to install packages without checking the signatures of the public keys. Is there a way to bypass all the signature checks/ignore all of the signature errors or fool apt into thinking the signature passed?
Asked
Active
Viewed 4.3e+01k times
6 Answers
111
Pass the --allow-unauthenticated option to apt-get as in:
sudo apt-get --allow-unauthenticated upgrade
From tha manual page of apt-get:
--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.
You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line:
APT::Get::AllowUnauthenticated "true";
In this way, you don't need to use the option every time you want to install software. Note: I do not recommend setting this option by default, it bypasses signature checks that could allow an adversary to compromise your computer.
Lekensteyn
- 178,446
40
If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.
The below script is not recommended if you can install the keys from a keyserver or download them from a trusted source via https, but if you don't have ANY other way, you can use this.
echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list
sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update
## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`
apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname
## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed
apt-get update
apt-get install somepkg-from-repo
I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.
15
I ran into the same problem with an old Debian server. I could not event make an
apt-get update
which gave me the following error :
E: Release file expired, ignoring http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid since 1183d 0h 2min 51s)
Finally The solution was to add this :
Acquire::Check-Valid-Until false;
to /etc/apt/apt.conf (create it if it does not exist).
After this, the error became a simple warning.
I guess it might work on ubuntu too.
Please note that it is partially unsafe but still safer than disabling signature checks.
7
Maybe you can try to create the file /etc/apt/apt.conf (it will be read if you create it) and insert this code:
APT{Ignore {"gpg-pubkey"; }};
WolfgangM
- 528
4
after keep trying around, this helps finally. Force update from unsigned repository
From newer versions of Ubuntu, instead of --allow-unauthenticated, --allow-insecure-repositories can be used.
In order to perform an update the command would be this
sudo apt-get update --allow-insecure-repositories
toshilam
- 41
