如题,最近在执行sudo apt update更新kali的源的时候,发现无论如何换源地址。再次更新都会更新失败,提示没有数字签名。
网上的解决办法都是更换国内的源,但是基本都不好使,源可能是好的,但是我的kali不更新数字签名。最后查看官网文档解决了问题,再次记录一下,解决办法。
扩展: kali的apt源
Kali Rolling : 是Kali的即时更新版,只要Kali中有更新,更新包就会放入Kali Rolling中,供用户下载使用。它为用户提供了一个稳定更新的版本,同时会带有最新的更新安装包。这个是我们最常用的源。 kali-last-snapshot : 是Kali的稳定更新版。 在kali-last-snapshot 下有3类软件包:main、non-free和contrib。
Kali apt源的软件包类型说明:
||dists区域 || 软件包组件标准|| | main | 遵从 Debian 自由软件指导方针(DFSG),并且不依赖于non-free| | contrib | 遵从 Debian 自由软件指导方针(DFSG),但依赖于non-free| | non-free | 不遵从 Debian 自由软件指导方针(DFSG) |
注 :DFSG是Debian 自由软件指导方针 (Debian Free Software Guidelines),此方针中大体包括自由的再次发行、源代码、禁止歧视人士或者组织等规定
直接访问 Index of /kali/dists/kali-rolling/可以看3类软件包
编辑kali源地址:
```bash
sudo vi /etc/apt/sources.list
```
在这里贴上几个国内的kali源地址:
从下面的源内选择一个复制下来准备粘贴进去(都是优质源,复制哪个都可以)。
中科大Kali镜像源
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
阿里云Kali镜像源
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
清华大学Kali镜像源
deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
问题解决步骤
尝试下载数字签名后导入,再次尝试跟新后还是显示签名失效。
wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add
执行apt-key list后查看key的过期时间,发现也没有问题。
认真阅读一下kali中提供的文档,根据上面的提示,我查看了apt-secure(8)——>命令man 8 apt-secure
DESCRIPTION
Starting with version 0.6, APT contains code that does signature
checking of the Release file for all repositories. This ensures that
data like packages in the archive can't be modified by people who have
no access to the Release file signing key. Starting with version 1.1
APT requires repositories to provide recent authentication information
for unimpeded usage of the repository. Since version 1.5 changes in the
information contained in the Release file about the repository need to
be confirmed before APT continues to apply updates from this
repository.
Note: All APT-based package management front-ends like apt-get(8),
aptitude(8) and synaptic(8) support this authentication feature, so
this manpage uses APT to refer to them all for simplicity only.首先阅读一下apt-secure的描述,读完之后我们可以知道,之所以一直更新不成功,是因为没有签名或者是有签名但是apt没有对应的key的package是不被信任的,安全起见,默认是不会采用这种源来进行更新的
继续往下阅读
```bash
UNSIGNED REPOSITORIES
If an archive has an unsigned Release file or no Release file at all
current APT versions will refuse to download data from them by default
in update operations and even if forced to download front-ends like
apt-get(8) will require explicit confirmation if an installation
request includes a package from such an unauthenticated archive.
You can force all APT clients to raise only warnings by setting the
configuration option Acquire::AllowInsecureRepositories to true.
Individual repositories can also be allowed to be insecure via the
sources.list(5) option allow-insecure=yes. Note that insecure
repositories are strongly discouraged and all options to force apt to
continue supporting them will eventually be removed. Users also have
the Trusted option available to disable even the warnings, but be sure
to understand the implications as detailed in sources.list(5).
```第二段的标题正是没有签名的仓库,这正是我们需要的说明 You can force all APT clients to raise only warnings by setting the configuration option Acquire::AllowInsecureRepositories to true. 这句话就是解决问题的关键,虽然国内的源没有签名,或者签名过期(失效),但是我们可以强制apt进行更新,忽略仓库的安全性,而想要达到这个目的,我们就需要对APT的配置文件进行修改 我搜索了apt.conf这个关键字,但相关网页都是英文的,硬着头皮读完之后发现我的kali中并没有apt.conf文件,在我的/etc/apt目录下,只有一个apt.conf.d目录,cd进该目录:
那么多配置文件,我也不知道到底该改哪一个,然后又去百度了一会儿,看到了这篇文章 AptConfiguration - Debian Wiki 然后我就抱着试一试的心态打开了70debconf文件,按照前面man文档的指导,在里面输入了Acquire::AllowInsecureRepositories “true”; 然后执行apt-config dump,查看apt的对应配置有无生效
Acquire::AllowInsecureRepositories的属性值由最初的”0″变成了”true” 说明更改配置成功,执行apt-get update成功显示出了软件更新包。
扫一扫
762
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
