APT/PPA 系统中密钥(recv-keys)、签名密钥、指纹的区别

APT/PPA 系统中密钥(recv-keys)、签名密钥、指纹的区别

Let's take ansible as an example. If you do click on the "Technical details about this PPA" link you see:

Signing key:
4096R/7BB9C367

Fingerprint:
6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367

If you try to add that software without adding the key you get

W: GPG error: http://ppa.launchpad.net trusty Release: The following signatures couldn't
be verified because the public key is not available: NO_PUBKEY 93C4A3FD7BB9C367

When I do apt-key list I see 4096R/7BB9C367. To add the key I need to do:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367

And the fingerprint doesn't seem to be mentioned anywhere. What is the difference between all these values?

Why do I not need to do apt-key ... --recv-keys if adding the PPA but I need to if manually adding the line to /etc/apt/sources.list.d? How does PPA know that 93C4A3FD7BB9C367 is what it needs to use, where does it find this?

Bonus round:

  • What is the difference between using a PPA vs just adding a line to /etc/apt/sources.list.d/?
  • Where is this PPA thing 'hosted' that just adding ppa:ansible/ansible is enough to add that line to sources.list.d?

答案1

我先回答你的最后一个问题。

ppa:ansible/ansible是一种特殊格式,指的是 Launchpad PPA,可用于 Ubuntu 和 Ubuntu 衍生产品(至少)。就功能而言,PPA 只是一个常规存储库。但是,这种确切格式不能直接添加到 中/etc/apt/sources.list,因为apt不识别这种格式。因此,必须添加存储库的 URL。例如, 的 URLppa:teamName/archiveNamehttp://ppa.launchpad.net/teamName/archiveName/ubuntu

通常,软件更新程序或终端都用于添加 PPA。软件更新程序识别 PPA 语法。在终端中,apt-add-repository识别格式并通常用于添加 PPA。这还会获取用于签署存储库的公钥。如果出于某种原因无法执行此操作,您将收到与运行 时类似的警告sudo apt-get update

至于指纹,公钥的完整指纹是公钥的 40 个字符的字母数字表示。Launchpad 显示完整的 40 个字符。但是,输入或记住 40 个字符很困难,尤其是在有多个公钥的情况下。因此,通常显示最后 8 个或 16 个字符。apt显示指纹的最后 16 个字符,并且apt-key list(在后台使用)显示最后 8 个字符。可以配置gpg显示的格式。gpg

相关内容