ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question

Verify repository's key

asked 2014-06-20 09:16:22 -0500

bwildenhain gravatar image


According to to install ROS on Debian, the GnuPG-key used to sign the repository should be installed by using

wget -O - | sudo apt-key add -

However, the key stored in ros.key hasn't been signed by anyone and the server doesn't support HTTPS. So this key doesn't provide much security against person-in-the-middle-attacks. Would it be possible to have this key signed by admins or developers actively using GnuPG/PGP (i.e. they already participated a key-signing-party or otherweise exchanged they public key with some people), who can assure, that this is the genuine archive's key? Is there any SSL-enabled webserver available which could be used to provide the key?

Kind regards, B. Wildenhain

edit retag flag offensive close merge delete


demmeln gravatar image demmeln  ( 2014-06-20 10:21:18 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2014-06-20 14:15:07 -0500

tfoote gravatar image

updated 2019-07-08 11:31:48 -0500

gvdhoorn gravatar image

The key is now available on

The wget line can be replaced with

sudo -E apt-key adv --keyserver 'hkp://' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Please test that it works and then we can update the installation instructions.


It is also now available from the ros/rosdistro repoon GitHub over https at:

Or of course you can get it via git over ssh.

edit flag offensive delete link more



Thanks, looks good :-)

bwildenhain gravatar image bwildenhain  ( 2014-06-20 16:47:30 -0500 )edit

There seems to be some kind of issue with the apt-key adv... command you provided on kinetic with Ubuntu 16.04, I had to manually download the key then do sudo apt-key add ros.key

ajm gravatar image ajm  ( 2019-07-08 09:35:00 -0500 )edit

@ajm: I believe you're actually running into #q325039. The keys have changed since this answer was posted.

Edit: I've edited the answer by @tfoote and updated the command and the key.

gvdhoorn gravatar image gvdhoorn  ( 2019-07-08 11:30:47 -0500 )edit

Thanks for the update. I can confirm that it now works in a more secure way. However, I would suggest the following two lines to adapt the code for Debian users, which are not using oldoldstable (current version is buster). The signed-by approch is suggested by

  1. sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/] $(lsb_release -s -c) main" > /etc/apt/sources.list.d/ros-latest.list'
  2. wget -O - | gpg --dearmor | sudo dd of=/usr/share/keyrings/
bwildenhain gravatar image bwildenhain  ( 2019-07-18 10:03:06 -0500 )edit

answered 2014-06-20 15:17:40 -0500

bwildenhain gravatar image

I can get the key from the server, but it doesn't increase security: The HKP protocol used to communicate with keyserver is based on HTTP, not on HTTPS. Quote from : "all search results must be regarded as untrustworthy and informational only"

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2014-06-20 09:16:22 -0500

Seen: 1,901 times

Last updated: Jul 08 '19