43 lines
1.4 KiB
Markdown
43 lines
1.4 KiB
Markdown
---
|
||
title: "GPG 密钥验证"
|
||
tags: [gpg, apt, security]
|
||
date: 2026-04-22
|
||
---
|
||
|
||
# GPG 密钥验证
|
||
|
||
## Definition
|
||
GPG (GNU Privacy Guard) 密钥验证是 APT 包管理器的安全机制,通过 GPG 签名确保从仓库下载的软件包来自可信来源且未被篡改。
|
||
|
||
## Docker GPG 密钥配置
|
||
```bash
|
||
# 创建密钥目录
|
||
sudo install -m 0755 -d /etc/apt/keyrings
|
||
|
||
# 下载 Docker 官方 GPG 密钥
|
||
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
|
||
|
||
# 设置密钥权限(所有人可读)
|
||
sudo chmod a+r /etc/apt/keyrings/docker.asc
|
||
```
|
||
|
||
## Verification Mechanism
|
||
1. apt 在下载软件包前,先用 GPG 密钥验证包的签名
|
||
2. 签名不匹配或密钥缺失时,apt 会拒绝安装并报 GPG 错误
|
||
3. `signed-by` 参数在 sources.list 条目中指定验证用的密钥路径
|
||
|
||
## Common Issues
|
||
| 问题 | 原因 | 解决 |
|
||
|------|------|------|
|
||
| `NO_PUBKEY` | GPG 密钥未导入 | 运行导入命令 |
|
||
| `GPG error` | 密钥权限不正确 | `chmod a+r` |
|
||
| `The following signatures couldn't be verified` | 密钥过期或损坏 | 重新下载密钥 |
|
||
|
||
## Related Sources
|
||
- [[如何在ubuntu-server安装-docker-docker-compose]] — Docker GPG 密钥配置步骤
|
||
|
||
## Related Concepts
|
||
- [[APT 仓库配置]] — 密钥与仓库配置的关系
|
||
- [[Docker Engine]] — 被 GPG 验证的软件包
|
||
- [[Ubuntu Server]] — GPG 密钥管理的宿主系统
|