• gomp@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    5 months ago

    My bad for causing confusion: when I wrote “trusted signature” I should have said “trusted public key”.

    The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).

    For the software you install from your distro’s “official” repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that’s beyond the point here).

    When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it’s something like curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev’s website) and trusted.