How to download in advance the public key used to sign repository signatures

There are those rare situations where you do not know the public key that is required to verify repository signatures, but want to add repository and a public key used to sign it. Hopefully, there is an easy answer to that question.

Install dirmngr using the following command to perform network operations as described here.

$ sudo apt-get install dirmngr --install-recommends
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  dbus-user-session pinentry-gnome3 tor
The following NEW packages will be installed:
  dirmngr
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 595 kB of archives.
After this operation, 1,110 kB of additional disk space will be used.
Get:1 http://ftp.task.gda.pl/debian stretch/main amd64 dirmngr amd64 2.1.18-8~deb9u1 [595 kB]
Fetched 595 kB in 0s (1,882 kB/s)
Selecting previously unselected package dirmngr.
(Reading database ... 26571 files and directories currently installed.)
Preparing to unpack .../dirmngr_2.1.18-8~deb9u1_amd64.deb ...
Unpacking dirmngr (2.1.18-8~deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up dirmngr (2.1.18-8~deb9u1) ...

Enable HTTPS protocol for APT as described here.

$ sudo apt-get install apt-transport-https
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 171 kB of archives.
After this operation, 243 kB of additional disk space will be used.
Get:1 http://ftp.task.gda.pl/debian stretch/main amd64 apt-transport-https amd64 1.4.8 [171 kB]
Fetched 171 kB in 0s (831 kB/s)         
Selecting previously unselected package apt-transport-https.
(Reading database ... 26565 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.4.8_amd64.deb ...
Unpacking apt-transport-https (1.4.8) ...
Setting up apt-transport-https (1.4.8) ...

I will add RabbitMQ repository in this case.

$ echo "deb https://dl.bintray.com/rabbitmq/debian stretch main" | sudo tee /etc/apt/sources.list.d/bintray.rabbitmq.list

I will use repoistory url (https://dl.bintray.com/rabbitmq/debian) and distribution (stretch) parts to build url address for the signature file and use it to display keyid.

Signature file URL address: https://dl.bintray.com/rabbitmq/debian/dists/stretch/Release.gpg

$ wget --quiet --output-document - https://dl.bintray.com/rabbitmq/debian/dists/stretch/Release.gpg | \
  gpg --no-default-keyring --list-packets -
# off=0 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 6B73A36E6026DFCA
	version 4, created 1516892013, md5len 0, sigclass 0x00
	digest algo 8, begin of digest 1a 8a
	hashed subpkt 2 len 4 (sig created 2018-01-25)
	subpkt 16 len 8 (issuer key ID 6B73A36E6026DFCA)
	data: [4095 bits]

Use apt-key to execute gpg and import required public key.

$ sudo apt-key --keyring /etc/apt/trusted.gpg.d/rabbit.gpg  adv --no-default-keyring --keyserver keyserver.ubuntu.com --recv 6B73A36E6026DFCA
Executing: /tmp/apt-key-gpghome.cwz9Z3ksiH/gpg.1.sh --no-default-keyring --keyserver keyserver.ubuntu.com --recv 6B73A36E6026DFCA
gpg: key 6B73A36E6026DFCA: public key "RabbitMQ Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Display downloaded key or keys.

$ gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/rabbit.gpg --list-keys
/etc/apt/trusted.gpg.d/rabbit.gpg
---------------------------------
pub   4096R/6026DFCA 2016-05-17
uid                  RabbitMQ Release Signing Key <[email protected]>
sub   4096R/12EBCE19 2016-05-17

Update package index.

$ sudo apt-get update
Ign:1 http://ftp.task.gda.pl/debian stretch InRelease
Hit:2 http://ftp.task.gda.pl/debian stretch-updates InRelease                 
Hit:3 http://ftp.task.gda.pl/debian stretch Release                           
Hit:4 http://security.debian.org/debian-security stretch/updates InRelease
Ign:5 https://dl.bintray.com/rabbitmq/debian stretch InRelease
Hit:6 https://dl.bintray.com/rabbitmq/debian stretch Release
Get:8 https://dl.bintray.com/rabbitmq/debian stretch Release.gpg [821 B]
Fetched 821 B in 1s (771 B/s)  
Reading package lists... Done

Simple as that.

Additional notes

Read my earlier How to verify file integrity using GnuPG signature and How to download public key used to verify GnuPG signature for the repository blog posts to automate this process and learn more about APT public key management.

$ sudo apt-key --keyring /etc/apt/trusted.gpg.d/rabbit.gpg \
               adv \
               --no-default-keyring \
               --keyserver keyserver.ubuntu.com \
               --recv $(wget --quiet \
                             --output-document - \
                             https://dl.bintray.com/rabbitmq/debian/dists/stretch/Release.gpg | \
                        gpg --no-default-keyring --list-packets - | \
                        awk '/^:/ {print $NF}')
Executing: /tmp/tmp.dBW4ZkZ6zn/gpg.1.sh --no-default-keyring
--keyserver
keyserver.ubuntu.com
--recv
6B73A36E6026DFCA
gpg: requesting key 6026DFCA from hkp server keyserver.ubuntu.com
gpg: key 6026DFCA: public key "RabbitMQ Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.