Ask Your Question

What are the keys (in the installation guide)?

asked 2016-04-11 15:36:17 -0500

thepirate16 gravatar image

updated 2016-04-11 15:37:49 -0500

In the ROS Indigo installation, just in the initial steps, I am required to "set up my keys". And this command is suggested to be used:

sudo apt-key adv --keyserver hkp:// --recv-key 0xB01FA116

What is exactly this and what effect will cause in the computer? Does it have any relation with the immediate previous command, which tells the computer to accept software from ROS?

Thanks in advance.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-04-12 02:41:39 -0500

gvdhoorn gravatar image

updated 2016-04-12 03:16:52 -0500

"the keys" are really just like any other cryptographic keys that are used to sign software binaries (like in Windows).

The idea is that with that key (it's really just a single one at the moment), your apt-get will be able to make sure that the ROS packages you download really do come from the OSRF. As the OSRF (really the buildfarm) is (in theory) the only one with the private key that is used to sign the packages, no one but the OSRF will be able to create binary packages that will be considered part of the 'official' ROS distribution.

In essence, this is the same system as your web browser would use to verify that the site you're looking at is really that of your bank, or that Google is really Google.

But before your can do that, you need to have something against which to compare the signature inside the binary ROS packages, and that is what you download to your computer (and install in your machine's local key store) with the command you quoted. Without that public key, apt-get would complain that although the packages it downloads are signed, it cannot verify them:

WARNING: The following packages cannot be authenticated!
  pkg_a pkg_b
Install these packages without verification [y/N]? n
E: Some packages could not be authenticated

If you come across an error like this, it usually means you've not imported a key (or: the repository signing key has changed, for whatever reason). Only in (hopefully / probably) rare cases would this be an indication of something more malignant (like a hijacking or repository tampering).

See for more information on this system.

edit flag offensive delete link more


That was fantastic, thanks a lot for the complete explanation.

thepirate16 gravatar image thepirate16  ( 2016-04-12 03:00:31 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-04-11 15:36:17 -0500

Seen: 2,644 times

Last updated: Apr 12 '16