如何在 Debian Wheezy 服务器上更新 GPG 密钥环

tag-icon tag-icon debian-wheezy gpg
如何在 Debian Wheezy 服务器上更新 GPG 密钥环

我正在尝试为一些开发设置一个 Dockerized Wheezy,但生产服务器仍然使用这个旧的未维护的 Debian 版本。

我遇到的主要问题是检查官方档案库的 GPG 签名。

从官方 docker 镜像开始,将 /etc/apt/sources.list 替换为

deb http://archive.debian.org/debian wheezy main

如果我尝试,apt-get update我会得到结果:

W: GPG error: http://archive.debian.org wheezy Release: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 KEYEXPIRED 1557241909

使用以下方法检查 GPG 密钥apt-key list | grep expired

gpg: /etc/apt//trustdb.gpg: trustdb created
pub   4096R/2B90D010 2014-11-21 [expired: 2022-11-19]
pub   4096R/C857C906 2014-11-21 [expired: 2022-11-19]
pub   4096R/518E17E1 2013-08-17 [expired: 2021-08-15]
pub   4096R/473041FA 2010-08-27 [expired: 2018-03-05]
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
pub   4096R/46925553 2012-04-27 [expired: 2020-04-25]
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]

因此我更新了其中的大部分apt-key adv --recv-keys --keyserver keyserver.ubuntu.com $(apt-key list | grep expired | sed -E 's=[^/]+/([^ ]+).*=\1=g' | tr '\n' ' ')但仍然从 apt-key 列表中得到这个结果:

pub   4096R/518E17E1 2013-08-17 [expired: 2021-08-15]
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
pub   4096R/65FFB764 2012-05-08 [expired: 2019-05-07]

现在呼吁apt-get update给予W: GPG error: http://archive.debian.org wheezy Release: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 KEYEXPIRED 1557241909

然后我尝试获取官方的 debian keyring deb,但看起来无法安装

dpkg -i /tmp/debian-archive-keyring_2023.4_all.deb 
dpkg-deb: error: archive '/tmp/debian-archive-keyring_2023.4_all.deb' contains not understood data member control.tar.xz, giving up
dpkg: error processing /tmp/debian-archive-keyring_2023.4_all.deb (--install):
subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
  /tmp/debian-archive-keyring_2023.4_all.deb

apt-get --allow-unauthenticated update不起作用,也不替换 source.list 文件内容

deb [trusted=yes] http://archive.debian.org/debian wheezy main

那么有没有办法更新这些 GPG 密钥或让 apt 不再检查它们?

如果你有可用的docker,遇到问题的最简单方法是:

>docker run -it debian:7.11 bash
root@f391e03326c6:/# echo "deb http://archive.debian.org/debian wheezy main" > /etc/apt/sources.list
root@f391e03326c6:/# apt-get update --allow-unauthenticated

答案1

Debian 7 “Wheezy” 已经生命尽头自 2018 年 5 月起已超过五年。因此,过期的 PGP 密钥将不会续订或替换。您可以使用apt-get--allow-unauthenticated但您真的应该升级到仍然维护的发行版. 来自 manapt-get(8)

--allow-unauthenticated

Trusted如果无法验证包, 则忽略,并且不提示。这在使用本地存储库时很有用,但如果用户自己没有以其他方式确保数据真实性,则会带来巨大的安全风险。来源列表(5)通常应优先于此全局覆盖条目。配置项:APT::Get::AllowUnauthenticated

相关内容