Of Laptops, XP, Debian etch, device drivers, and GPG signatures.

Well that was a fun adventure all around. My laptop ‘hunter’ is back up and running, pretty much at the level it was at just as it tumbled off the table last wednesday evening. Perversely I had to leave Thursday morning to go visit ${client} down in New Jersey, and really wouldn’t have the time to do all the reinstall fun until I got back.

Nonetheless, I was able to sort of limp along through Thursday (even managed to watch a movie on it at the hotel that night), and into Friday where I was able to swap out the main drive, re-install XP, and get at least the base installation of ‘sarge‘ re-installed. Total time on this was perhaps 3 hours of watching CD’s spin. Really, all in all, for 2 entire OS installs from scratch, it wasn’t too shabby.
Of course, neither installation was not without its twitches. The XP install came up on the laptop with -zero- network connectivity. The device manager SAW the 2 PCI network devices, but couldn’t initialize them because, naturally, I didn’t have the ‘driver’ disc. This is a laptop, it’s not like I have a shelf full of CD’s at hand. So the XP install, while technically complete, was really non-functional. No network connectivity means I couldn’t get the drivers I needed, so I had to pretty much shelve that install for now.
The Debian install went better. I had the IT chap burn me a CD of the Sarge ‘netinst’ cd. This is a small (100meg) image that contains the kernel and enough software to boot, partition, format, and install the ‘core’ Debian system. It assumes you have net connectivity available, and sets it up as part of the install. Once connectivity is established and you’ve selected what installation type you want (developer, gnome, databases, etc), the installer starts fetching the packages necessary.
For my install, the entire ‘fetch, unpack, install’ process from the time the installer said “I have all the information I need, go away” to completion took about an hour and a half on a mediocre DSL line.
Once done, it was a matter of getting back home, restoring my backed up home dir, and re-installing packages I was missing that I needed. I find it somewhat ironic that my Debian install -happily- came up with all the network device drivers in place, configured, and working, and I was able to continue my install, while the XP system is dead in the water with no network, requiring me to find an external source for the drivers needed to simply get online.
But moving along.
After that, we’re pretty much into normal sarge -> etch install mode, but I keep getting an annoying message from apt-get on the upgrade:

W: GPG error: http://secure-testing.debian.net etch/security-updates Release:
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 946AA6E18722E71E
W: You may want to run apt-get update to correct these problems

This was a new one on me. Apparently versions of apt-get past 0.6 now check the GPG signatures of packages before downloading them by default. This means you need to have the public key of the ‘offering’ host available in your local GPG keyring before pulling the file. (You can turn off signature checking, but checking the authenticity of a package before downloading is a good idea anyway).
The answer to this is to add the public key into your GPG keyring. Note the long hex number in the error message. That’s the ‘key id’ that uniquely identifies the entry in the keyserver. The first step is to query the keyserver for the public key. This should be run as the user who does most of the system maintenance, as it’ll be added to _THEIR_ keyring. Don’t run this as root.

gpg --keyserver subkeys.pgp.net --recv-keys 946AA6E18722E71E

The next step is to add that new key to root’s keyring. Since you’ve already accepted the key locally, there’s a higher level of safety in simply copying the key from your personal keyring to root’s keyring (rather than writing the key into root’s keyring directly) :

gpg --export 946AA6E18722E71E | sudo apt-key add - 

Once those are done, apt-get should behave normally and update the local apt cache files without any complaints. If the security server for Debian packages should get compromised, it is nearly impossible to duplicate the private key used for signing packages and end up with the same public key, so if the key signatures match, you can be fairly sure it’s a valid package to install.
There are many other stories on bringing ‘hunter’ back from it’s near fatal plummet, but suffice to say that due to the magic of package management systems and opensource software, and a back up of just my home directory (which has most of my user configurations and the like), I was able to get back up and running from ground zero in perhaps 8 hours of work. Much of that time was simply watching a progress bar move as packages were downloaded and re-installed, primarily without me needing to do anything.
There is a way to even tell apt to make a ‘snapshot’ of all the installed packages so you can ‘replay’ the entire install to get all your installed packages back. I may explore this in a future article.


A wandering geek. Toys, shiny things, pursuits and distractions.

View all posts by

Leave a Reply

Your email address will not be published. Required fields are marked *