All of the key-servers I visit are timing out. I need to install packages without checking the signatures of the public keys. Is there a way to bypass all the signature checks/ignore all of the signature errors or fool apt into thinking the signature passed?
Asked
Active
Viewed 3.8e+01k times
94
-
1Normally you would install the key locally at the same time as you add a repository, so why do you need to access the key-servers? – JanC Nov 01 '11 at 11:45
6 Answers
109
Pass the --allow-unauthenticated option to apt-get as in:
sudo apt-get --allow-unauthenticated upgrade
From tha manual page of apt-get:
--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.
You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line:
APT::Get::AllowUnauthenticated "true";
In this way, you don't need to use the option every time you want to install software. Note: I do not recommend setting this option by default, it bypasses signature checks that could allow an adversary to compromise your computer.
Lekensteyn
- 174,277
-
15For info: This work with
apt-getbut not with the plainaptcommand. – Tor Klingberg Nov 21 '16 at 13:38 -
15
-
1Doesn't work on debian 10 either, see the answer below with Acquire:: – anymous.asker Jul 23 '21 at 01:40
32
If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.
The below script is not recommended if you can install the keys from a keyserver or download them from a trusted source via https, but if you don't have ANY other way, you can use this.
echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list
sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update
## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`
apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname
## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed
apt-get update
apt-get install somepkg-from-repo
I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.
-
Came here because of the i3 issue -
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6solved it! Thanks a lot! – Benedikt Köppel Apr 28 '18 at 09:42 -
This is the only answer that will do for repositories which do not sign their keys. – anymous.asker Feb 11 '22 at 21:46
13
I ran in the same problem with an old debian server. I could not event make an
apt-get update
which gave me the following error :
E: Release file expired, ignoring http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid since 1183d 0h 2min 51s)
Finally The solution was to add this :
Acquire::Check-Valid-Until false;
to /etc/apt/apt.conf (create it if it does not exist). After this, the error became a simple warning.
I Guess it might work on ubuntu too.
Please note that it is partially unsafe but still safer than disabling signature checks.
Gnusam
- 133
-
-
10The safe way to do this is to upgrade the distro. In some complicated customer cases, you have no way to upgrade. And since the whole question is started with this disclaimer : 'I am very well aware it is dangerous to do this' i thought my contribution was appropriated. If not, i can remove it. – Gnusam Jun 12 '19 at 09:01
-
4
-
1There is nothing wrong with forcing expired keys to continue to work. Expiration does not mean that keys were compromised. Only that somebody forgot to update them. But you still get signature checks. – Mitar Apr 28 '23 at 16:28
-
-
2This is less unsafe than disabling key checks. repos don't turn into a pumpkin at midnight. There's vast differences between the security posture of key expiry, key revoked, and key not in keyring. Browser behaviour teaches the wrong trust policy because browser trust policy is very broken. – Wil Aug 04 '23 at 21:51
7
Maybe you can try to create the file /etc/apt/apt.conf (it will be read if you create it) and insert this code:
APT{Ignore {"gpg-pubkey"; }};
WolfgangM
- 528
-
6It doesn't work for me. But works when I added
APT { Get { AllowUnauthenticated "1"; }; };– php-coder Apr 17 '13 at 10:59 -
1
3
after keep trying around, this helps finally. Force update from unsigned repository
From newer versions of Ubuntu, instead of --allow-unauthenticated, --allow-insecure-repositories can be used.
In order to perform an update the command would be this
sudo apt-get update --allow-insecure-repositories
toshilam
- 31
