Yesterday when I tried to update packages, I received a message asking me if I want to install an unsigned package. I clicked no and stopped the update.
Today I updated all packages without the message.
So, what are unsigned packages and should I install them?
- I've done a
sudo apt-get update
to update the package lists and I still get the error - I am not using any PPAs
You should NOT trust unsigned packages. From a security standpoint, a signed package means that the person who made it used a PGP key that is owned by them to say "I created this package, and I verify its authenticity!" Unsigned packages are risky because you have no idea who the developer is (while you do with signed packages).
The other issue with updating is that if you use a PPA, it may be reading packages as unsigned if the PGP keys that originally signed them are not being downloaded, in which case you should make sure that you can connect to keyservers and make sure that the signee of the package has a key in the Ubuntu keyservers.
If you don't have any PPAs and are just using a stock configuration and you are getting unsigned packages it could be a sign that the mirror you are pulling from is misconfigured or in the middle of updating or something.
If you see this error too often consider switching to another Ubuntu mirror:
Often, you can fix errors about packages not being able to be authenticated by running
sudo apt-get update
to recheck the packages lists and redownload the signatures. If you are getting errors about authentication, do not be lazy and just install be packages. Instead, find out why the packages cannot be authenticated and fix that problem first. That way, a malicious person wouldn't be able to trick you into installing his possibly rootkited in place of the real thing.You should add next time, the repository keys when you add one
normaly adding a PPA with add-apt-repository should do it
example
sudo add-apt-repository ppa:mozillateam/firefox-stable
adds the ppa and the key