如何在 Debian Linux 中不信任 Apt 密钥?

tag-icon tag-icon debian apt gpg
如何在 Debian Linux 中不信任 Apt 密钥?

我如何不信任易于键入Debian Linux,或者阻止通过静默添加apt-key(就像大多数商业软件包在其脚本中所做的那样postinst)?

如果我运行apt-key adv --edit-key ... trust,它似乎没有任何效果:

# apt-key adv --edit-key D38B4796 trust
Executing: /tmp/apt-key-gpghome.poumWAEgYJ/gpg.1.sh --edit-key D38B4796 trust
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/7721F63BD38B4796
     created: 2016-04-12  expires: never       usage: SC  
sub  rsa4096/1397BC53640DB551
     created: 2016-04-12  expires: 2019-04-12  usage: S   
sub  rsa4096/6494C6D6997C215E
     created: 2017-01-24  expires: 2020-01-24  usage: S   
[ unknown] (1). Google Inc. (Linux Packages Signing Authority) <[email protected]>

pub  rsa4096/7721F63BD38B4796
     created: 2016-04-12  expires: never       usage: SC  
sub  rsa4096/1397BC53640DB551
     created: 2016-04-12  expires: 2019-04-12  usage: S   
sub  rsa4096/6494C6D6997C215E
     created: 2017-01-24  expires: 2020-01-24  usage: S   
[ unknown] (1). Google Inc. (Linux Packages Signing Authority) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 2

pub  rsa4096/7721F63BD38B4796
     created: 2016-04-12  expires: never       usage: SC  
sub  rsa4096/1397BC53640DB551
     created: 2016-04-12  expires: 2019-04-12  usage: S   
sub  rsa4096/6494C6D6997C215E
     created: 2017-01-24  expires: 2020-01-24  usage: S   
[ unknown] (1). Google Inc. (Linux Packages Signing Authority) <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg>

- 所以当我重新运行时apt-key list,信任级别仍然是unknown

# apt-key list D38B4796
pub   rsa4096 2016-04-12 [SC]
      EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid           [ unknown] Google Inc. (Linux Packages Signing Authority) <[email protected]>
sub   rsa4096 2016-04-12 [S] [expires: 2019-04-12]
sub   rsa4096 2017-01-24 [S] [expires: 2020-01-24]

答案1

据我所知,密钥上的信任设置对apt.在这种情况下,信任是指赋予签名的值其他键的用给定的密钥制作;它是关于信任网络中的传递信任,而不是对使用给定密钥创建的包签名(或更确切地说,存储库签名)的有效性的信任。

要“不信任”存储库密钥,您需要将其删除。

为了防止软件包安装新的密钥环,您可以将一个文件添加到/etc/dpkg/dpkg.cfg.d/,例如no-new-keyrings,包含

# Skip installation of new keyrings by default, but allow Debian keyrings
path-exclude=/etc/apt/trusted.gpg.d/*
path-include=/etc/apt/trusted.gpg.d/debian-archive-*

这不会阻止使用apt-key;安装密钥的软件包要做到这一点可能需要编写一个包装器。

相关内容