How do I correctly setup a 3rd party repository with a 3rd party key without adding it to the global GPG keyring if I only have their keyid?

I have a 3rd party software that is installed from their own repository and requires a custom key configured. Instead of adding their key to the global keyring, how do I correctly setup the key to be used only for that repository?

Typical error message would look like this:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D208507CA14F4FCA

1

1 Answer

The keyserver.ubuntu.com can be used to retrieve the key, but you must manually confirm that the key is correct before proceeding:

enter image description here

sudo -H gpg --keyserver keyserver.ubuntu.com --recv-keys D208507CA14F4FCA

This command puts the key in your global keyring, and is an intermediate step to export it. The key will be removed at a later step.

-H is needed to handle permissions issue regarding sudo and the HOME directory

Next is a sequence of commands to export the keyring

sudo -H gpg --export --output erlang.gpg D208507CA14F4FCA
mkdir -p /usr/local/share/keyrings
mv ./erlang.gpg /usr/local/share/keyrings/

And then remove the key from the keyring

sudo -H gpg --batch --yes --delete-key D208507CA14F4FCA

Create a subdirectory for sources.list and add the new config to it:

mkdir -p /etc/apt/sources.list.d
echo "deb [signed-by=/usr/local/share/keyrings/erlang.gpg] $(lsb_release -s -c) contrib" > /etc/apt/sources.list.d/erlang.list

Note that add-apt-repository doesn't currently support the [signed-by] option

This process sets up the key for just that repository, limited the risk of a compromised 3rd party key from affecting unrelated repositories.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like