1. Overview

Unsigned repositories can contain packages not verified by the operating system, thus, posing a security risk. However, there are times when we may need to install a Debian package from an unsigned repository, such as when the package is not available in the signed repositories or when we trust the source.

In this tutorial, we’ll discuss how to install a Debian package from an unsigned repository.

2. Adding the Unsigned Repository

We start by adding the unsigned repository. To do this, we need to edit the /etc/apt/sources.list file. This file contains a list of repositories used by the Advanced Package Tool (APT) to install packages. We can add a new repository by appending the repository URL to the end of the file. Let’s go through this step by step.

First, we need to open the sources.list file using a text editor with administrative privileges. For the purpose of this article, we’ll use the nano editor:

$ sudo nano /etc/apt/sources.list

Next, we need to append the repository URL to the end of the file. We’ll have to obtain the repository URL from the source of the package. For example, let’s add the repository for the package example-package by appending the following line to the end of the opened file:

deb http://example-repo.com/debian/ stretch main

In this example, stretch is the codename for the Debian distribution that we’re using. We can replace it with the codename of our distribution. Then, we save the file and exit the text editor.

Now, let’s update the APT package index to include the packages from the newly added repository:

$ sudo apt update

With this, we have successfully added the package to our repository.

3. Verifying the Package’s Authenticity

Now that we’ve added the unsigned repository, we check the package’s authenticity before installing it. Since the repository is unsigned, we should take extra caution to ensure the package is legitimate.

We can check the package by downloading its source code and verifying it using a checksum or a cryptographic signature.

3.1. Using a Checksum

A checksum is a mathematical calculation used to verify the integrity of a file. It is a unique value generated based on a file’s contents. Let’s see how to verify the package using a checksum.

We start by downloading the source code of the package from the repository using the wget command. Let’s download the source code of the package named mypackage from the repository at http://example.com/repo/:

$ wget http://example.com/repo/mypackage.tar.gz

Next, we need to look for the checksum file that’s usually available alongside the source code. This file contains the checksum value of the package. The filename usually has the extension .sha256 or .md5. Let’s use the ls command to list the files in the current directory and look for the checksum file:

$ ls
mypackage.tar.gz mypackage.tar.gz.sha256

In this case, our checksum file is named mypackage.tar.gz.sha256.

To calculate the checksum value of the downloaded package, we use a tool like sha256sum or md5sum. Let’s calculate the SHA-256 checksum of the package mypackage.tar.gz:

$ sha256sum mypackage.tar.gz
6b172a535540f30d90f7e70b0aa193d61ce15b9d8cbf23614f34bf5e5f5b5e8d  mypackage.tar.gz

As we can see, the output consists of two parts: the checksum value and the filename. The checksum value is a long string of characters that uniquely identifies the package.

Finally, we compare the calculated checksum value of the package with the checksum value in the checksum file. If they match, the package is legitimate.

We can use the diff command to compare the two checksum values. Let’s compare the calculated SHA-256 checksum value with the value in the file mypackage.tar.gz.sha256:

$ diff <(sha256sum mypackage.tar.gz | awk '{print $1}') mypackage.tar.gz.sha256

If we don’t have any output, that means the two checksum values match, and verification is successful. We can then proceed with installing the package.

On the other hand, if we have an output that looks like this (a string):

1c39d77808d10e7b101e10f41dc7e4cf2344e1d4cb029ad20a6f36dcb2d8d7b1 /dev/fd/63

This means the checksum values don’t match, and we should stop installing the package to investigate further.

3.2. Using a Cryptographic Signature

A cryptographic signature is a digital signature that ensures the authenticity and integrity of a file. It is created using a private key and can be verified using a public key. Let’s see how to verify our package by using a cryptographic signature.

We start by downloading the public key of the package maintainer from a trusted source:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 12345678

In the above command, we replace 12345678 with the actual key ID of the package maintainer. We can find this key ID on the package maintainer’s website or other trusted sources. Let’s check the output:

Executing: /tmp/apt-key-gpghome.1Cv7PGfoeL/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 12345678
gpg:  key 12345678: public key "Package Maintainer <[email protected]>" imported
gpg:  Total number processed: 1
gpg:  imported: 1

Now, let’s import the public key into our system’s keyring:

$ sudo apt-key add /path/to/public/key/file

In the above command, we replace the /path/to/public/key/file with the actual path to the public key file we just downloaded. If it’s successful, we have “OK” as our output.

Next, let’s download the package and its corresponding signature file from the repository:

$ wget https://repository.example.com/pool/main/p/package-name/package-name_1.0.0_amd64.deb 
$ wget https://repository.example.com/pool/main/p/package-name/package-name_1.0.0_amd64.deb.asc

Don’t forget we have to replace https://repository.example.com with the actual URL of the repository and package-name_1.0.0_amd64.deb with the actual name of the package.

Finally, let’s verify the package using the signature file and the public key:

$ gpg --verify package-name_1.0.0_amd64.deb.asc package-name_1.0.0_amd64.deb
gpg:  Signature made Wed 01 Dec 2021 09:13:27 AM PST
gpg:  using RSA key 12345678
gpg:  Good signature from "Package Maintainer <[email protected]>" [unknown]

If our output shows “Good signature” as we can see, the package is legitimate, and we can proceed with the installation.

4. Allow Unauthenticated Packages

By default, APT will not install packages from an unsigned repository. We have to tell APT to allow insecure packages from a repository by using the –allow-insecure-repositories option with the apt command:

$ sudo apt update --allow-insecure-repositories

With this command, the package list will be updated, and we can now install packages from the unauthenticated repository.

5. Installing the Package

Now that we have verified the integrity of the package, let’s proceed to install it by using the apt command. For example, let’s install the example-package package from the unsigned repository:

$ sudo apt install example-package

APT will prompt us to confirm the installation, and we should carefully review the packages that will be installed to ensure that they are legitimate. We should also ensure that we have enough disk space and that no conflicting packages or dependencies might cause issues during installation.

Once we have reviewed the installation prompt, we can confirm the installation by typing “Y” and pressing Enter. The APT package manager will download the package and all its dependencies from the repository, then it’ll install them on our system so that they’re ready to use.

6. Allow Untrusted Repositories

Sometimes during installation, we may encounter an error message saying that the repository is not signed and APT cannot authenticate the packages. However, if we’re confident that the repository is safe to use, we can tell APT to treat the repository as trusted by adding [trusted=yes] to the repository’s entry in the sources.list file:

deb [trusted=yes] http://example.com/repo/ stretch main

This will allow us to install packages from the repository without encountering authentication errors. However, we should be aware that this makes our system less secure, as APT will not verify the authenticity of the packages from the repository.

Therefore, we should use this option as a last resort and only if we’re confident that the repository is trustworthy.

7. Conclusion

In this article, we’ve explored some methods for installing packages from unsigned repositories. These included checking package authenticity using checksums and cryptographic signatures and installing packages with the –allow-insecure-repositories option. Finally, we discussed adding the [trusted=yes] flag to the repository source.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.