How to download in advance the public key used to sign repository signatures

There are those rare situations where you do not know the public key required to verify repository signatures but want to add a repository and a public key used to sign it. Hopefully, there is an easy answer to that question.

Install dirmngr using the following command to perform network operations as described here.

$ sudo apt-get install dirmngr --install-recommends

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  dbus-user-session pinentry-gnome3 tor
The following NEW packages will be installed:
  dirmngr
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 595 kB of archives.
After this operation, 1,110 kB of additional disk space will be used.
Get:1 http://ftp.task.gda.pl/debian stretch/main amd64 dirmngr amd64 2.1.18-8~deb9u1 [595 kB]
Fetched 595 kB in 0s (1,882 kB/s)
Selecting previously unselected package dirmngr.
(Reading database ... 26571 files and directories currently installed.)
Preparing to unpack .../dirmngr_2.1.18-8~deb9u1_amd64.deb ...
Unpacking dirmngr (2.1.18-8~deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up dirmngr (2.1.18-8~deb9u1) ...

Enable HTTPS protocol for APT, as described here.

$ sudo apt-get install apt-transport-https

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 171 kB of archives.
After this operation, 243 kB of additional disk space will be used.
Get:1 http://ftp.task.gda.pl/debian stretch/main amd64 apt-transport-https amd64 1.4.8 [171 kB]
Fetched 171 kB in 0s (831 kB/s)         
Selecting previously unselected package apt-transport-https.
(Reading database ... 26565 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.4.8_amd64.deb ...
Unpacking apt-transport-https (1.4.8) ...
Setting up apt-transport-https (1.4.8) ...

I will add the RabbitMQ repository in this case.

$ echo "deb https://dl.bintray.com/rabbitmq/debian stretch main" | sudo tee /etc/apt/sources.list.d/bintray.rabbitmq.list

I will use the repository URL (<a href="https://dl.bintray.com/rabbitmq/debian" rel="nofollow">https://dl.bintray.com/rabbitmq/debian</a>) and distribution (stretch) parts to build a URL address for the signature file and use it to display keyid.

Signature file URL address: <strong><a href="https://dl.bintray.com/rabbitmq/debian" rel="nofollow">https://dl.bintray.com/rabbitmq/debian</a></strong>/dists/<strong>stretch</strong>/Release.gpg

$ wget --quiet --output-document - https://dl.bintray.com/rabbitmq/debian/dists/stretch/Release.gpg | 
  gpg --no-default-keyring --list-packets -

# off=0 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 6B73A36E6026DFCA
	version 4, created 1516892013, md5len 0, sigclass 0x00
	digest algo 8, begin of digest 1a 8a
	hashed subpkt 2 len 4 (sig created 2018-01-25)
	subpkt 16 len 8 (issuer key ID 6B73A36E6026DFCA)
	data: [4095 bits]

Use apt-key to execute gpg and import the required public key.

$ sudo apt-key --keyring /etc/apt/trusted.gpg.d/rabbit.gpg  adv --no-default-keyring --keyserver keyserver.ubuntu.com --recv 6B73A36E6026DFCA

Executing: /tmp/apt-key-gpghome.cwz9Z3ksiH/gpg.1.sh --no-default-keyring --keyserver keyserver.ubuntu.com --recv 6B73A36E6026DFCA
gpg: key 6B73A36E6026DFCA: public key "RabbitMQ Release Signing Key <info@rabbitmq.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Display downloaded key or keys.

$ gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/rabbit.gpg --list-keys

/etc/apt/trusted.gpg.d/rabbit.gpg
---------------------------------
pub   4096R/6026DFCA 2016-05-17
uid                  RabbitMQ Release Signing Key <info@rabbitmq.com>
sub   4096R/12EBCE19 2016-05-17

Update package index.

$ sudo apt-get update

Ign:1 http://ftp.task.gda.pl/debian stretch InRelease
Hit:2 http://ftp.task.gda.pl/debian stretch-updates InRelease                 
Hit:3 http://ftp.task.gda.pl/debian stretch Release                           
Hit:4 http://security.debian.org/debian-security stretch/updates InRelease
Ign:5 https://dl.bintray.com/rabbitmq/debian stretch InRelease
Hit:6 https://dl.bintray.com/rabbitmq/debian stretch Release
Get:8 https://dl.bintray.com/rabbitmq/debian stretch Release.gpg [821 B]
Fetched 821 B in 1s (771 B/s)  
Reading package lists... Done

Simple as that.

Additional notes

Read my earlier how to verify file integrity using the GnuPG signature and download public key used to verify the GnuPG signature for the repository blog posts to automate this process and learn more about APT public key management.

$ sudo apt-key --keyring /etc/apt/trusted.gpg.d/rabbit.gpg \
               adv \
               --no-default-keyring \
               --keyserver keyserver.ubuntu.com \
               --recv $(wget --quiet \
                             --output-document - \
                             https://dl.bintray.com/rabbitmq/debian/dists/stretch/Release.gpg | \
                        gpg --no-default-keyring --list-packets - | \
                        awk '/^:/ {print $NF}')

Executing: /tmp/tmp.dBW4ZkZ6zn/gpg.1.sh --no-default-keyring
--keyserver
keyserver.ubuntu.com
--recv
6B73A36E6026DFCA
gpg: requesting key 6026DFCA from hkp server keyserver.ubuntu.com
gpg: key 6026DFCA: public key "RabbitMQ Release Signing Key <info@rabbitmq.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Additional notes#

Additional notes