Devuan VUA: Repository APT and DEB tricks and tips 🔼

APT auto GPG checks updates 🔼

Repositories for Devuan are signed with GPG keys that verify integrity.

The main repository archive when has to be signed by a new key, which your system does not know about, this behavior are management and notified by updating and upgrading the devuan-keyring and the debian-archive-keyring packages, and any warning will go away.

APT bypass GPG checks 🔼

Since secure apt was introduced, the gpg must not be bypassed due implicts a security risk, gpg check for integrity of files related, but some cases are special, so there two ambits for do that:

1) FOR REPOSIRORIES AS COMMON CASES: 🔼

The repository pgp sign its the most used, the keys used to sign the main repository archive have changed a couple of times, so there's a option to bypass that checks if some gpg are still older, failed or missing:

Add this to the command:

-o Acquire::Check-Valid-Until=false

For example:

sudo apt-get -o Acquire::Check-Valid-Until=false update

This will allow to bypass the gpg if are expired or older, and still yet not refreshed.

2) FOR PACKAGES ONLY: 🔼

There are package signatures, but are not widely used (we use secure apt instead for complete repositories), and there's a package called debsig-verify that checks for signatures embedded inside individual Debian packages.

Pass the --allow-unauthenticated option to apt-get as in:

sudo apt-get --allow-unauthenticated upgrade

From that manual page of apt-get:

--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item: APT::Get::AllowUnauthenticated.

You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line:

APT::Get::AllowUnauthenticated "true";