ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2016-04-12 02:41:39 -0500

gvdhoorn gravatar image

"the keys" are really just like any other cryptographic keys that are used to sign software binaries (like in Windows).

The idea is that with that key (it's really just a single one at the moment), your apt-get will be able to make sure that the ROS packages you download really do come from the OSRF. As the OSRF (really the buildfarm) is (in theory) the only one with the private key that is used to sign the packages, no one but the OSRF will be able to create binary packages that will be considered part of the 'official' ROS distribution.

In essence, this is the same system as your web browser would use to verify that the site you're looking at is really that of your bank, of that Google is really Google.

But before your can do that, you need to have something against which to compare the signature inside the binary ROS packages, and that is what you download to your computer (and install in your machine's local key store) with the command you quoted. Without that public key, apt-get would complain that although the packages it downloads are signed, it cannot verify them:

WARNING: The following packages cannot be authenticated!
  pkg_a pkg_b
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated

If you come across an error like this, it usually means you've not imported a key (or: the repository signing key has changed, for whatever reason). Only in (hopefully / probably) rare cases would this be an indication of something more malignant (like a hijacking or repository tampering).

See wiki.debian.org/SecureApt for more information on this system.

"the keys" are really just like any other cryptographic keys that are used to sign software binaries (like in Windows).

The idea is that with that key (it's really just a single one at the moment), your apt-get will be able to make sure that the ROS packages you download really do come from the OSRF. As the OSRF (really the buildfarm) is (in theory) the only one with the private key that is used to sign the packages, no one but the OSRF will be able to create binary packages that will be considered part of the 'official' ROS distribution.

In essence, this is the same system as your web browser would use to verify that the site you're looking at is really that of your bank, of or that Google is really Google.

But before your can do that, you need to have something against which to compare the signature inside the binary ROS packages, and that is what you download to your computer (and install in your machine's local key store) with the command you quoted. Without that public key, apt-get would complain that although the packages it downloads are signed, it cannot verify them:

WARNING: The following packages cannot be authenticated!
  pkg_a pkg_b
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated

If you come across an error like this, it usually means you've not imported a key (or: the repository signing key has changed, for whatever reason). Only in (hopefully / probably) rare cases would this be an indication of something more malignant (like a hijacking or repository tampering).

See wiki.debian.org/SecureApt for more information on this system.

ROS Answers is licensed under Creative Commons Attribution 3.0 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2