trusting keys for apt repositories

as of debian etch, apt provides cryptographic verification of the packages you download. This requires you to tell apt which keys you trust to sign the package repositories you pull from.

CMRG repositories are all signed by dkg's key. You can tell apt to trust this key (if you like) by doing the following:

gpg --fetch-keys http://fifthhorseman.net/dkg.gpg
gpg --fingerprint --list-key dkg-debian.org@fifthhorseman.net | grep fingerprint

This should show you the proper fingerprint:

      Key fingerprint = 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9

If it matches, you can tell apt to trust it. First export the key to a file:

gpg --armor --export dkg-debian.org@fifthhorseman.net > dkg.gpg

Then as root, add the key to apt key ring:

apt-key add dkg.gpg

(note: in June of 2007, dkg ​changed keys. This page has been updated to reflect the new key)