Guide to securely configure all repositories with GPG signature verification
For APT-based repositories (Debian, Ubuntu, Proxmox, Docker, FRR, Ceph) must be
GPG Keys der jeweiligen Projecte auf dem System installiert sein, damit
apt
can verify the package signatures.
For standard distributions (Debian, Ubuntu) the keys are already pre-installed. For third-party repos the keys must be manually imported. We host all required keys at /keys/ as a convenience copy.
| Project | Key file | Fingerprint |
|---|---|---|
| Debian 12 (Bookworm) | debian-archive-12.asc | B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8 |
| Debian 12 Security | debian-archive-12-security.asc | 05AB 9034 0C0C 5E79 7F44 A8C8 254C F3B5 AEC0 A8F0 |
| Ubuntu | ubuntu-archive.asc | 790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32 |
| Proxmox (Bookworm) | proxmox-release-bookworm.gpg | F4E1 36C6 7CDC E41A E6DE 6FC8 1140 AF8F 639E 0C39 |
| Docker CE | docker.asc | 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88 |
| FRR | frr.gpg | 3D99 68AC 9AE7 BE11 6928 8DDB 1FD5 8398 95F5 7FDA |
| Ceph | ceph-release.asc | 08B7 3419 AC32 B4E9 66C1 A330 E84A C2C0 460F 3994 |
Debian systems already have the archive key pre-installed. Just update the sources.list:
Kopierendeb http://mirror.as47526.net/debian bookworm main contrib non-free non-free-firmware deb http://mirror.as47526.net/debian bookworm-updates main contrib non-free non-free-firmware deb http://mirror.as47526.net/debian-security bookworm-security main contrib non-free non-free-firmware
Kopierensudo tee /etc/apt/sources.list <<'EOF' deb http://mirror.as47526.net/debian bookworm main contrib non-free non-free-firmware deb http://mirror.as47526.net/debian bookworm-updates main contrib non-free non-free-firmware deb http://mirror.as47526.net/debian-security bookworm-security main contrib non-free non-free-firmware EOF sudo apt update
apt update
verifies the signatures automatically.
Kopierendeb http://mirror.as47526.net/ubuntu noble main restricted universe multiverse deb http://mirror.as47526.net/ubuntu noble-updates main restricted universe multiverse deb http://mirror.as47526.net/ubuntu noble-security main restricted universe multiverse
Kopierencurl -fsSL https://mirror.as47526.net/keys/proxmox-release-bookworm.gpg \ | sudo tee /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg > /dev/null
Kopierenecho "deb http://mirror.as47526.net/proxmox/debian/pve bookworm pve-no-subscription" \ | sudo tee /etc/apt/sources.list.d/pve-mirror.list sudo apt update
F4E1 36C6 7CDC E41A E6DE 6FC8 1140 AF8F 639E 0C39
Official reference: pve.proxmox.com/wiki/Package_Repositories
enterprise.proxmox.com
bezogen. Unsere Kopie ist identisch, wird aber von unserem Server ausgeliefert.
Verifizieren Sie den Fingerprint im Zweifel gegen die offizielle Proxmox-Dokumentation.
Kopierencurl -fsSL https://mirror.as47526.net/docker-setup.sh | sudo bash
Kopieren# GPG key (fetched from the original server, not the mirror!) sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg \ | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg # Repository echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \ https://mirror.as47526.net/docker/linux/debian \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \ | sudo tee /etc/apt/sources.list.d/docker.list sudo apt update
9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
Official reference: docs.docker.com/engine/install
download.docker.com,
not from our mirror. This ensures that the key cannot be compromised via
the mirror path.
Kopierencurl -fsSL https://mirror.as47526.net/keys/frr.gpg \ | sudo tee /etc/apt/trusted.gpg.d/frr.gpg > /dev/null
Kopierenecho "deb http://mirror.as47526.net/frr bookworm frr-stable" \ | sudo tee /etc/apt/sources.list.d/frr-mirror.list sudo apt update
3D99 68AC 9AE7 BE11 6928 8DDB 1FD5 8398 95F5 7FDA
Official reference: deb.frrouting.org
Kopierencurl -fsSL https://mirror.as47526.net/keys/ceph-release.asc \ | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/ceph.gpg
Kopierenecho "deb http://mirror.as47526.net/ceph/debian-reef bookworm main" \ | sudo tee /etc/apt/sources.list.d/ceph-mirror.list sudo apt update
08B7 3419 AC32 B4E9 66C1 A330 E84A C2C0 460F 3994
Official reference: docs.ceph.com
In /etc/pacman.d/mirrorlist add:
KopierenServer = http://mirror.as47526.net/arch/$repo/os/$arch
Fedora uses DNF/YUM with RPM GPG signatures. The keys are present from installation. To use this mirror, create a repo file:
Kopierensudo tee /etc/yum.repos.d/as47526-mirror.repo <<'EOF' [as47526-fedora] name=Fedora $releasever - AS47526 Mirror baseurl=http://mirror.as47526.net/fedora/releases/$releasever/Everything/$basearch/os/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch EOF sudo dnf makecache
/etc/pki/rpm-gpg/.
gpgcheck=1 ensures that all packages are verified against the official Fedora key.
Kopierensudo tee /etc/yum.repos.d/as47526-mirror.repo <<'EOF' [as47526-rocky-baseos] name=Rocky Linux $releasever - BaseOS - AS47526 Mirror baseurl=http://mirror.as47526.net/rocky/$releasever/BaseOS/$basearch/os/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever EOF sudo dnf makecache
In /etc/apk/repositories:
Kopierenhttps://mirror.as47526.net/alpine/v3.23/main https://mirror.as47526.net/alpine/v3.23/community
gpgcheck oder --allow-unauthenticatedsigned-by= in sources.list is more secure than trusted.gpg.ddownload.docker.com), to avoid a single point of failure