Force update from unsigned repository Ubuntu 16.04












44















I using an unsigned repo in Ubuntu 16.04 from Debian multimedia
deb http://www.deb-multimedia.org jessie main



To install deb-multimedia-keyring I'm running
apt-get update && apt-get install deb-multimedia-keyring -y



This give an error



W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.


Thanks in advance










share|improve this question



























    44















    I using an unsigned repo in Ubuntu 16.04 from Debian multimedia
    deb http://www.deb-multimedia.org jessie main



    To install deb-multimedia-keyring I'm running
    apt-get update && apt-get install deb-multimedia-keyring -y



    This give an error



    W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
    E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.


    Thanks in advance










    share|improve this question

























      44












      44








      44


      17






      I using an unsigned repo in Ubuntu 16.04 from Debian multimedia
      deb http://www.deb-multimedia.org jessie main



      To install deb-multimedia-keyring I'm running
      apt-get update && apt-get install deb-multimedia-keyring -y



      This give an error



      W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
      E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
      N: Updating from such a repository can't be done securely, and is therefore disabled by default.
      N: See apt-secure(8) manpage for repository creation and user configuration details.


      Thanks in advance










      share|improve this question














      I using an unsigned repo in Ubuntu 16.04 from Debian multimedia
      deb http://www.deb-multimedia.org jessie main



      To install deb-multimedia-keyring I'm running
      apt-get update && apt-get install deb-multimedia-keyring -y



      This give an error



      W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
      E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
      N: Updating from such a repository can't be done securely, and is therefore disabled by default.
      N: See apt-secure(8) manpage for repository creation and user configuration details.


      Thanks in advance







      apt repository aptitude






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 13 '16 at 1:13









      ShanShan

      323136




      323136






















          5 Answers
          5






          active

          oldest

          votes


















          29














          You can bypass some important safeguards by using the following option:



          --allow-unauthenticated


          From the man pages for apt-get:



          --allow-unauthenticated
          Ignore if packages can't be authenticated and don't prompt about
          it. This can be useful while working with local repositories, but
          is a huge security risk if data authenticity isn't ensured in
          another way by the user itself. The usage of the Trusted option for
          sources.list(5) entries should usually be preferred over this
          global override. Configuration Item:
          APT::Get::AllowUnauthenticated.


          But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...






          share|improve this answer


























          • I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

            – Timo
            Apr 2 '18 at 12:59













          • told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

            – Xerus
            May 12 '18 at 22:45








          • 12





            NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

            – Jay Taylor
            Jul 9 '18 at 2:29











          • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

            – andrew.46
            Jul 9 '18 at 6:20






          • 1





            Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

            – Jay Taylor
            Jul 9 '18 at 18:59





















          28














          You can set options in your sources.list:



          deb [trusted=yes] http://www.deb-multimedia.org jessie main


          The trusted option is what turns off the GPG check. See man 5 sources.list for details.



          Ps: source.list is located at /etc/apt/sources.list






          share|improve this answer


























          • How do we access the sources.list from the terminal?

            – fuzzi
            Nov 20 '18 at 15:40











          • It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

            – Prathu Baronia
            Nov 20 '18 at 22:48



















          7














          Another generic solution would be



          sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117


          Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.



          Another solution specific to your case is to install the keys



          wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
          sudo dpkg -i multimedia-keyring_all.deb


          As described in the full walk through Here






          share|improve this answer































            3














            If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.



            The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.



            echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

            sudo apt -o Acquire::AllowInsecureRepositories=true
            -o Acquire::AllowDowngradeToInsecureRepositories=true
            update

            ## if the 'apt update' above fails it is likely due to previously
            ## having the GPG key and repository on the system, you can clean
            ## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

            apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

            ## If you ever run `sudo apt-key del your-repos-keyID`
            ## you may have to `sudo apt remove --purge repo-keyring-pkgname`
            ## Update should run without the GPG warnings now that the key is installed

            apt-get update
            apt-get install somepkg-from-repo


            I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.






            share|improve this answer


























            • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

              – Jürgen Weigert
              Apr 25 '18 at 18:05











            • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

              – dragon788
              Apr 27 '18 at 1:24



















            2














            You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:



            gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
            gpg -a --export KEY_IN_ERROR | sudo apt-key add -


            Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.



            Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:



            deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main


            This is really useful if you want to fine tune your security settings for an individual entries.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "89"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f732985%2fforce-update-from-unsigned-repository-ubuntu-16-04%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              5 Answers
              5






              active

              oldest

              votes








              5 Answers
              5






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              29














              You can bypass some important safeguards by using the following option:



              --allow-unauthenticated


              From the man pages for apt-get:



              --allow-unauthenticated
              Ignore if packages can't be authenticated and don't prompt about
              it. This can be useful while working with local repositories, but
              is a huge security risk if data authenticity isn't ensured in
              another way by the user itself. The usage of the Trusted option for
              sources.list(5) entries should usually be preferred over this
              global override. Configuration Item:
              APT::Get::AllowUnauthenticated.


              But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...






              share|improve this answer


























              • I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

                – Timo
                Apr 2 '18 at 12:59













              • told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

                – Xerus
                May 12 '18 at 22:45








              • 12





                NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

                – Jay Taylor
                Jul 9 '18 at 2:29











              • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

                – andrew.46
                Jul 9 '18 at 6:20






              • 1





                Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

                – Jay Taylor
                Jul 9 '18 at 18:59


















              29














              You can bypass some important safeguards by using the following option:



              --allow-unauthenticated


              From the man pages for apt-get:



              --allow-unauthenticated
              Ignore if packages can't be authenticated and don't prompt about
              it. This can be useful while working with local repositories, but
              is a huge security risk if data authenticity isn't ensured in
              another way by the user itself. The usage of the Trusted option for
              sources.list(5) entries should usually be preferred over this
              global override. Configuration Item:
              APT::Get::AllowUnauthenticated.


              But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...






              share|improve this answer


























              • I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

                – Timo
                Apr 2 '18 at 12:59













              • told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

                – Xerus
                May 12 '18 at 22:45








              • 12





                NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

                – Jay Taylor
                Jul 9 '18 at 2:29











              • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

                – andrew.46
                Jul 9 '18 at 6:20






              • 1





                Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

                – Jay Taylor
                Jul 9 '18 at 18:59
















              29












              29








              29







              You can bypass some important safeguards by using the following option:



              --allow-unauthenticated


              From the man pages for apt-get:



              --allow-unauthenticated
              Ignore if packages can't be authenticated and don't prompt about
              it. This can be useful while working with local repositories, but
              is a huge security risk if data authenticity isn't ensured in
              another way by the user itself. The usage of the Trusted option for
              sources.list(5) entries should usually be preferred over this
              global override. Configuration Item:
              APT::Get::AllowUnauthenticated.


              But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...






              share|improve this answer















              You can bypass some important safeguards by using the following option:



              --allow-unauthenticated


              From the man pages for apt-get:



              --allow-unauthenticated
              Ignore if packages can't be authenticated and don't prompt about
              it. This can be useful while working with local repositories, but
              is a huge security risk if data authenticity isn't ensured in
              another way by the user itself. The usage of the Trusted option for
              sources.list(5) entries should usually be preferred over this
              global override. Configuration Item:
              APT::Get::AllowUnauthenticated.


              But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Feb 11 '18 at 7:54

























              answered Feb 13 '16 at 1:29









              andrew.46andrew.46

              21.4k1469147




              21.4k1469147













              • I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

                – Timo
                Apr 2 '18 at 12:59













              • told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

                – Xerus
                May 12 '18 at 22:45








              • 12





                NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

                – Jay Taylor
                Jul 9 '18 at 2:29











              • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

                – andrew.46
                Jul 9 '18 at 6:20






              • 1





                Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

                – Jay Taylor
                Jul 9 '18 at 18:59





















              • I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

                – Timo
                Apr 2 '18 at 12:59













              • told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

                – Xerus
                May 12 '18 at 22:45








              • 12





                NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

                – Jay Taylor
                Jul 9 '18 at 2:29











              • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

                – andrew.46
                Jul 9 '18 at 6:20






              • 1





                Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

                – Jay Taylor
                Jul 9 '18 at 18:59



















              I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

              – Timo
              Apr 2 '18 at 12:59







              I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6.

              – Timo
              Apr 2 '18 at 12:59















              told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

              – Xerus
              May 12 '18 at 22:45







              told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated

              – Xerus
              May 12 '18 at 22:45






              12




              12





              NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

              – Jay Taylor
              Jul 9 '18 at 2:29





              NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018.

              – Jay Taylor
              Jul 9 '18 at 2:29













              @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

              – andrew.46
              Jul 9 '18 at 6:20





              @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: pastebin.com/ygLTnP1C

              – andrew.46
              Jul 9 '18 at 6:20




              1




              1





              Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

              – Jay Taylor
              Jul 9 '18 at 18:59







              Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :)

              – Jay Taylor
              Jul 9 '18 at 18:59















              28














              You can set options in your sources.list:



              deb [trusted=yes] http://www.deb-multimedia.org jessie main


              The trusted option is what turns off the GPG check. See man 5 sources.list for details.



              Ps: source.list is located at /etc/apt/sources.list






              share|improve this answer


























              • How do we access the sources.list from the terminal?

                – fuzzi
                Nov 20 '18 at 15:40











              • It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

                – Prathu Baronia
                Nov 20 '18 at 22:48
















              28














              You can set options in your sources.list:



              deb [trusted=yes] http://www.deb-multimedia.org jessie main


              The trusted option is what turns off the GPG check. See man 5 sources.list for details.



              Ps: source.list is located at /etc/apt/sources.list






              share|improve this answer


























              • How do we access the sources.list from the terminal?

                – fuzzi
                Nov 20 '18 at 15:40











              • It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

                – Prathu Baronia
                Nov 20 '18 at 22:48














              28












              28








              28







              You can set options in your sources.list:



              deb [trusted=yes] http://www.deb-multimedia.org jessie main


              The trusted option is what turns off the GPG check. See man 5 sources.list for details.



              Ps: source.list is located at /etc/apt/sources.list






              share|improve this answer















              You can set options in your sources.list:



              deb [trusted=yes] http://www.deb-multimedia.org jessie main


              The trusted option is what turns off the GPG check. See man 5 sources.list for details.



              Ps: source.list is located at /etc/apt/sources.list







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Dec 22 '18 at 17:16









              Tshilidzi Mudau

              3,55831727




              3,55831727










              answered Jun 29 '18 at 20:17









              Prathu BaroniaPrathu Baronia

              548410




              548410













              • How do we access the sources.list from the terminal?

                – fuzzi
                Nov 20 '18 at 15:40











              • It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

                – Prathu Baronia
                Nov 20 '18 at 22:48



















              • How do we access the sources.list from the terminal?

                – fuzzi
                Nov 20 '18 at 15:40











              • It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

                – Prathu Baronia
                Nov 20 '18 at 22:48

















              How do we access the sources.list from the terminal?

              – fuzzi
              Nov 20 '18 at 15:40





              How do we access the sources.list from the terminal?

              – fuzzi
              Nov 20 '18 at 15:40













              It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

              – Prathu Baronia
              Nov 20 '18 at 22:48





              It is located in /etc/apt/sources.list. You can either edit it within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

              – Prathu Baronia
              Nov 20 '18 at 22:48











              7














              Another generic solution would be



              sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117


              Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.



              Another solution specific to your case is to install the keys



              wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
              sudo dpkg -i multimedia-keyring_all.deb


              As described in the full walk through Here






              share|improve this answer




























                7














                Another generic solution would be



                sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117


                Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.



                Another solution specific to your case is to install the keys



                wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
                sudo dpkg -i multimedia-keyring_all.deb


                As described in the full walk through Here






                share|improve this answer


























                  7












                  7








                  7







                  Another generic solution would be



                  sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117


                  Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.



                  Another solution specific to your case is to install the keys



                  wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
                  sudo dpkg -i multimedia-keyring_all.deb


                  As described in the full walk through Here






                  share|improve this answer













                  Another generic solution would be



                  sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117


                  Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.



                  Another solution specific to your case is to install the keys



                  wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
                  sudo dpkg -i multimedia-keyring_all.deb


                  As described in the full walk through Here







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 6 '17 at 19:45









                  fady mohamed osmanfady mohamed osman

                  28934




                  28934























                      3














                      If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.



                      The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.



                      echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

                      sudo apt -o Acquire::AllowInsecureRepositories=true
                      -o Acquire::AllowDowngradeToInsecureRepositories=true
                      update

                      ## if the 'apt update' above fails it is likely due to previously
                      ## having the GPG key and repository on the system, you can clean
                      ## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

                      apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

                      ## If you ever run `sudo apt-key del your-repos-keyID`
                      ## you may have to `sudo apt remove --purge repo-keyring-pkgname`
                      ## Update should run without the GPG warnings now that the key is installed

                      apt-get update
                      apt-get install somepkg-from-repo


                      I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.






                      share|improve this answer


























                      • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                        – Jürgen Weigert
                        Apr 25 '18 at 18:05











                      • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                        – dragon788
                        Apr 27 '18 at 1:24
















                      3














                      If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.



                      The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.



                      echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

                      sudo apt -o Acquire::AllowInsecureRepositories=true
                      -o Acquire::AllowDowngradeToInsecureRepositories=true
                      update

                      ## if the 'apt update' above fails it is likely due to previously
                      ## having the GPG key and repository on the system, you can clean
                      ## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

                      apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

                      ## If you ever run `sudo apt-key del your-repos-keyID`
                      ## you may have to `sudo apt remove --purge repo-keyring-pkgname`
                      ## Update should run without the GPG warnings now that the key is installed

                      apt-get update
                      apt-get install somepkg-from-repo


                      I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.






                      share|improve this answer


























                      • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                        – Jürgen Weigert
                        Apr 25 '18 at 18:05











                      • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                        – dragon788
                        Apr 27 '18 at 1:24














                      3












                      3








                      3







                      If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.



                      The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.



                      echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

                      sudo apt -o Acquire::AllowInsecureRepositories=true
                      -o Acquire::AllowDowngradeToInsecureRepositories=true
                      update

                      ## if the 'apt update' above fails it is likely due to previously
                      ## having the GPG key and repository on the system, you can clean
                      ## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

                      apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

                      ## If you ever run `sudo apt-key del your-repos-keyID`
                      ## you may have to `sudo apt remove --purge repo-keyring-pkgname`
                      ## Update should run without the GPG warnings now that the key is installed

                      apt-get update
                      apt-get install somepkg-from-repo


                      I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.






                      share|improve this answer















                      If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.



                      The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.



                      echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

                      sudo apt -o Acquire::AllowInsecureRepositories=true
                      -o Acquire::AllowDowngradeToInsecureRepositories=true
                      update

                      ## if the 'apt update' above fails it is likely due to previously
                      ## having the GPG key and repository on the system, you can clean
                      ## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

                      apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

                      ## If you ever run `sudo apt-key del your-repos-keyID`
                      ## you may have to `sudo apt remove --purge repo-keyring-pkgname`
                      ## Update should run without the GPG warnings now that the key is installed

                      apt-get update
                      apt-get install somepkg-from-repo


                      I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Nov 15 '17 at 17:08









                      derHugo

                      2,29021429




                      2,29021429










                      answered Sep 1 '17 at 20:10









                      dragon788dragon788

                      556211




                      556211













                      • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                        – Jürgen Weigert
                        Apr 25 '18 at 18:05











                      • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                        – dragon788
                        Apr 27 '18 at 1:24



















                      • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                        – Jürgen Weigert
                        Apr 25 '18 at 18:05











                      • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                        – dragon788
                        Apr 27 '18 at 1:24

















                      This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                      – Jürgen Weigert
                      Apr 25 '18 at 18:05





                      This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like ... Release is not valid yet (invalid for another 44min 35s). Updates for this repository will not be applied. Even after rm-ing the /var/lib/apt/lists/* things...

                      – Jürgen Weigert
                      Apr 25 '18 at 18:05













                      That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                      – dragon788
                      Apr 27 '18 at 1:24





                      That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet.

                      – dragon788
                      Apr 27 '18 at 1:24











                      2














                      You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:



                      gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
                      gpg -a --export KEY_IN_ERROR | sudo apt-key add -


                      Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.



                      Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:



                      deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main


                      This is really useful if you want to fine tune your security settings for an individual entries.






                      share|improve this answer






























                        2














                        You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:



                        gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
                        gpg -a --export KEY_IN_ERROR | sudo apt-key add -


                        Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.



                        Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:



                        deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main


                        This is really useful if you want to fine tune your security settings for an individual entries.






                        share|improve this answer




























                          2












                          2








                          2







                          You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:



                          gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
                          gpg -a --export KEY_IN_ERROR | sudo apt-key add -


                          Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.



                          Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:



                          deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main


                          This is really useful if you want to fine tune your security settings for an individual entries.






                          share|improve this answer















                          You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:



                          gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
                          gpg -a --export KEY_IN_ERROR | sudo apt-key add -


                          Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.



                          Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:



                          deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main


                          This is really useful if you want to fine tune your security settings for an individual entries.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited May 6 '18 at 11:17

























                          answered May 4 '18 at 6:05









                          leonidasleonidas

                          212




                          212






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Ask Ubuntu!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f732985%2fforce-update-from-unsigned-repository-ubuntu-16-04%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Ellipse (mathématiques)

                              Quarter-circle Tiles

                              Mont Emei