I wrote a review about the Vivaldi browser previously. This browser is awesome so I decided to try it out on pretty much everything. The installation process is pretty easy and their guide is straightforward, but let’s learn what it all means and why we’re running what we’re running and how it applies to other third-party repositories. Read my tutorial on apt to get up to speed.
Please note, if you just want to install Vivaldi and don’t care about the commands used, see their guide here. This document uses Vivaldi as an example, but the techniques and information here are applicable to most third-party repositories on Ubuntu or Debian.
Installing Vivaldi
Let’s look at the specific process for Vivaldi at a glance. Most third-party repositories will have a very similar guide or workflow.
The first command in the guide has us download the public key and load it into apt with apt-key as follows:
wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | sudo apt-key add -
You then want to add the repository using add-apt-repository.
sudo add-apt-repository 'deb https://repo.vivaldi.com/archive/deb/ stable main'
Finally, we want to run apt update:
sudo apt update
And then apt install:
sudo apt install vivaldi-stable
Let’s go deeper in with the first two commands.
apt-key
The first command we run looks a little daunting.
wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | sudo apt-key add -
wget is a command line utility to download a file or files from a given source. It has a massive number of options. Here, all it does is quietly download the file and output it to stdout. What this means, is that if you ran:
wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub
It dumps the whole thing to the console through stdout. stdout is the standard output and can be piped into other commands. There are also things like stderr which are the standard output for errors and other various levels of output.
wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
...
We use the | symbol (called “pipe”) in order to pipe our output from wget to apt-key. By running:
sudo apt-key add -
We are telling Bash or whatever shell we’re using to add from stdin at the – mark. This key is important because it tells us whether the repository we’re about to use is the one we have added. Once you add a key like this, you know whether your package came from where it said it did. This is extremely useful for PPA’s and other third-party applications should you add them in Debian or Ubuntu. I have seen some small PPA’s get compromised and people fall for it because they didn’t add one these keys.
This is just the tip of the iceberg for what apt-key does. See the man page from Ubuntu, or run this from a terminal for more information:
man apt-key
add-apt-repository
add-apt-repository is just a shortcut to add a repository to your sources.list file or sources.list.d directory. You can also do this by either adding an entry to sources.list or adding a list file to sources.list.d.
For instance, you can run the following from a root session:
echo "deb https://repo.vivaldi.com/archive/deb/ stable main" >> /etc/apt/sources.list.d/vivaldi.list
Technically you could use only one ‘>’, but I like to be safe with these sorts of things and prevent clobbering any files I don’t have to. Two ‘>’ means that you are appending to a file, while one means to write to that file. If the file doesn’t exist, you’re appending to nothing which creates a new file.
You can also do this with nano if you prefer.
Considerations
We add a key to make sure we can trust the package is from where it says it is, but there is no way to know that the people making the package have our best interest in mind. I try to be extremely vigilant about not adding too many third-party sources. If the source package is compromised, the whole pipeline is too.
Adding third-party repositories can also cause versioning issues. This rarely happens with Debian Stable focused repositories, and isn’t extremely common overall, but if you are running Debian Unstable or the third-party repository is not specifically made for your variant, you can have issues. Even stable repositories can cause issues if you aren’t careful when upgrading.
The last consideration is cleanup. Once you’re done with these repositories, you need to remove the old keys and the old list files.
Cleaning Up
Cleaning up is usually pretty easy. You want remove any packages available from the given repository, remove the entry from your sources, then clear out the keys. The first just requires you to run apt remove or apt purge, the second requires removing the relevant deb line you added or the list file from sources.list.d.
The third is a bit harder to deal with. You need to find the key then remove it. To find the key, run:
sudo apt-key list
You should get something like (this has been modified to hide the actual emails):
apt-key list
/etc/apt/trusted.gpg
--------------------
pub dsa1024 2007-03-08 [SC]
4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid [ unknown] Google, Inc. Linux Package Signing Key
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid [ unknown] Google Inc. (Linux Packages Signing Authority)
sub rsa4096 2017-01-24 [S] [expires: 2020-01-24]
sub rsa4096 2019-07-22 [S] [expires: 2022-07-21]
pub rsa2048 2015-10-28 [SC]
BC52 8686 B50D 79E3 39D3 721C EB3E 94AD BE12 29CF
uid [ unknown] Microsoft (Release signing)
pub rsa4096 2018-01-05 [SC] [expires: 2020-01-25]
68AE AE71 F9FA 1587 03C1 CBBC 8D04 CE49 EFB2 0B23
uid [ unknown] Vivaldi Package Composer KEY04
sub rsa4096 2018-01-05 [E] [expires: 2020-01-25]
pub rsa4096 2018-12-04 [SC] [expires: 2021-01-22]
B44B 85E3 E1A6 386B FC79 D411 9658 E804 4A3A A3D6
uid [ unknown] Vivaldi Package Composer KEY05
sub rsa4096 2018-12-04 [E] [expires: 2021-01-22]
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ unknown] Debian Archive Automatic Signing Key (10/buster)
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
...
This isn’t really the most useful without knowing what it means. Each of the long hex strings under pub are an identifier for the key. To remove a key, you run:
sudo apt-key del [key ID]
So, to remove one for Vivaldi, you would find every key ID with Vivaldi:
pub rsa4096 2018-01-05 [SC] [expires: 2020-01-25]
68AE AE71 F9FA 1587 03C1 CBBC 8D04 CE49 EFB2 0B23
uid [ unknown] Vivaldi Package Composer KEY04
sub rsa4096 2018-01-05 [E] [expires: 2020-01-25]
pub rsa4096 2018-12-04 [SC] [expires: 2021-01-22]
B44B 85E3 E1A6 386B FC79 D411 9658 E804 4A3A A3D6
uid [ unknown] Vivaldi Package Composer KEY05
sub rsa4096 2018-12-04 [E] [expires: 2021-01-22]
Then you use the last 8 hex digits (with no spaces):
68AE AE71 F9FA 1587 03C1 CBBC 8D04 CE49 EFB2 0B23
B44B 85E3 E1A6 386B FC79 D411 9658 E804 4A3A A3D6
And you run:
sudo apt-key del EFB20B23
sudo apt-key del 4A3AA3D6
You can also use the full key to be a little more paranoid / safe against the potential of a collision:
sudo apt-key del "68AE AE71 F9FA 1587 03C1 CBBC 8D04 CE49 EFB2 0B23"
Make sure to run apt update afterwards.
Conclusion
This tutorial covers a few more advanced techniques for apt. These are mostly useful for installing third-party repositories. I don’t like to just run commands I find on the internet, so I feel that understanding what you do is as important as why you’re doing it. You can’t control the repository itself, but you can control your machine. Be smart and be safe with what you do.
Featured image by Boskampi from Pixabay