what keys sign the libruby1.9.1 and ruby1.9.1 packages

Asked by Ricky Charlet on 2012-09-10


   I'm trying to build a modified ubuntu precise live cd which includes the ruby 1.9.1 packages. I create a pub/priv key pair to sign my own repository with. During OS install, I import these three:

1. "Ubuntu CD Image Automatic Signing Key"
2. "Ubuntu Archive Automatic Signing Key"
3. and my own pub key "Mu Dynamics Package Repository"

  Yet, when I attempt to `aptitude install libruby1.9.1` I get a "this package is untrusted" warning. To be exact, I'm trying to bundle up this package: http://ubuntu.wikimedia.org/ubuntu//pool/main/r/ruby1.9.1/libruby1.9.1_1.9.3.0-1ubuntu1_amd64.deb
And I get this warning:
root@Quantum:~/auto-install/repo# aptitude install libruby1.9.1
The following NEW packages will be installed:
0 packages upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/4,098 kB of archives. After unpacking 12.3 MB will be used.
WARNING: untrusted versions of the following packages will be installed!

Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.


Do you want to ignore this warning and proceed anyway?

  I'm assuming that the newer ruby packages are signed with keys I don't yet have. What keys are the newer ruby packages signed with? And where can I get a copy of the public keys? Or am I on the wrong path?

Ricky Charlet

Question information

English Edit question
Ubuntu ruby1.9.1 Edit question
No assignee Edit question
Last query:
Last reply:

Can you please give the output of:

sudo apt-get update


Ricky Charlet (ricky-charlet) said : #2

That's a fine question...

root@Quantum:~# apt-get update
Ign file: main/binary-amd64/ InRelease
Ign file: main/binary-amd64/ Release.gpg
Get:1 file: main/binary-amd64/ Release [133 B]
Ign file: main/binary-amd64/ Translation-en_US
Ign file: main/binary-amd64/ Translation-en
Reading package lists... Done

A few notes: My /etc/apt/sources.list file points *only* at my local file repository:
deb file:/root/auto-install/repo/dists/studio main/binary-amd64/

My local file repository is built with the reprepro tool. It is in working order for most of the extra packages I have selected for my specialized install. Only ruby (and dhcp3-server) seem to be having authentication problems.

Ricky Charlet (ricky-charlet) said : #3

Also note:

I need to be able to complete my install *without* access to the internet.

If I were to just update my /etc/apt/soruces.list to point at the standard ubuntu repositories, then libruby1.9.1 and ruby1.9.1 install just fine. But I need to find a way to pass authentication checks without access to the internet.

Ricky Charlet (ricky-charlet) said : #4


   I've been making many failed guesses about what key signs libruby1.9.1 for ubuntu. I've been `apt-key add`ing things from ubuntu keyrings and from debian keyrings. Here is a record of what I have tried so far:

root@Quantum:~# apt-key list
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid Debian Archive Automatic Signing Key (6.0/squeeze) <email address hidden>

pub 2048R/3AEF8BCE 2012-01-26 [expires: 2022-01-23]
uid Mu Dynamics Package Repository <email address hidden>
sub 2048R/EB518EAF 2012-01-26 [expires: 2022-01-23]

pub 4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid Debian Archive Automatic Signing Key (7.0/wheezy) <email address hidden>
sub 4096R/ADD6B7E2 2012-04-27 [expires: 2020-04-25]

pub 4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
uid Debian Archive Automatic Signing Key (5.0/lenny) <email address hidden>

pub 1024D/6070D3A1 2006-11-20 [expired: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch) <email address hidden>

pub 1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006) <email address hidden>

pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub 2048R/19FFF900 2009-11-12 [expires: 2012-11-11]
uid GPA Ubuntu Archive Automatic Signing Key <email address hidden>

pub 1024D/0C4ECFEC 2005-05-24
uid Ubuntu-ja Archive Automatic Signing Key <email address hidden>
sub 2048g/40A3E9B2 2005-05-24

pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <email address hidden>

pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <email address hidden>

root@Quantum:~# apt-get install libruby1.9.1
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/4,098 kB of archives.
After this operation, 12.3 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
Install these packages without verification [y/N]? ^C

What is the output of:

cat /etc/lsb-release


Ricky Charlet (ricky-charlet) said : #6


In reply to your request:

root@Quantum:~# cat /etc/lsb-release
root@Quantum:~# cat /etc/issue
Ubuntu 12.04 LTS \n \l

Ricky Charlet (ricky-charlet) said : #7

Hi all,

  To reproduce my problem, collect the ruby1.9.1 debs into a directory and run reprepro over them. Configure your /etc/apt/sources.list to point *only* to your new local, file repo. and attempt to install libruby1.9.1

mkdir repo
cd repo
mkdir debs
cd debs
wget http://mirrors.us.kernel.org/ubuntu//pool/main/r/ruby1.9.1/libruby1.9.1_1.9.3.0-1ubuntu1_amd64.deb
wget http://ubuntu.wikimedia.org/ubuntu//pool/main/r/ruby1.9.1/ruby1.9.1_1.9.3.0-1ubuntu1_amd64.deb
make a gpg pub/priv key pair
create a conf/distributions file with these contents
Origin: YourFavoriteNameHere
Label: YourFavoriteLableHere
Codename: YourFavoriteCodenameHere
Architectures: amd64 source
Components: main
Description: Your favorite descrtiption here
SignWith: KEYIDofYourNewGPGpubKeyHere
Pull: maverick
reprepro -Vb . includedeb <codename> debs/*.deb

Then edit your /etc/apt/sources.list to point to your repo directory only (comment out all the internet based repos):
deb file:/path/to/your/repo/dists/<codename> main/binary-amd64/

apt-get update
apt-get install libruby1.9.1
(observe auth error here)

Ricky Charlet (ricky-charlet) said : #8


    Even though my problem seems difficult and certainly out of the main stream, I'm really asking a quite simple question. I hope some one can point me in the right direction...

    Who (what person or process) signs the ruby1.9.1 deb file for the ubuntu archive with what key? I'm trying to acquire that public key.

Ricky Charlet (ricky-charlet) said : #9

    Is the ruby1.9.1 ubuntu package signed at all?

wget http://mirrors.us.kernel.org/ubuntu//pool/main/r/ruby1.9.1/libruby1.9.1_1.9.3.0-1ubuntu1_amd64.deb
ar -x libruby1.9.1_1.9.3.0-1ubuntu1_amd64.deb
note the lack of an _origin* file

   Can someone in the community point me at who the developers are?

Ricky Charlet

I suggest you run:

ubuntu-bug ruby

Can you help with this problem?

Provide an answer of your own, or ask Ricky Charlet for more information if necessary.

To post a message you must log in.