本文最后更新于 2024-08-23,文章内容可能已经过时。

记一次kali更新源失败(签名失效)问题解决

如题,最近在执行sudo apt update更新kali的源的时候,发现无论如何换源地址。再次更新都会更新失败,提示没有数字签名。

网上的解决办法都是更换国内的源,但是基本都不好使,源可能是好的,但是我的kali不更新数字签名。最后查看官网文档解决了问题,再次记录一下,解决办法。

image-20240823160823276

扩展: kali的apt源

Kali Rolling : 是Kali的即时更新版,只要Kali中有更新,更新包就会放入Kali Rolling中,供用户下载使用。它为用户提供了一个稳定更新的版本,同时会带有最新的更新安装包。这个是我们最常用的源。
kali-last-snapshot : 是Kali的稳定更新版。
kali-last-snapshot 下有3类软件包:main、non-free和contrib。

Kali apt源的软件包类型说明:

||dists区域 || 软件包组件标准||
| main | 遵从 Debian 自由软件指导方针(DFSG),并且不依赖于non-free|
| contrib | 遵从 Debian 自由软件指导方针(DFSG),但依赖于non-free|
| non-free | 不遵从 Debian 自由软件指导方针(DFSG) |

:DFSG是Debian 自由软件指导方针 (Debian Free Software Guidelines),此方针中大体包括自由的再次发行、源代码、禁止歧视人士或者组织等规定

直接访问 http://mirrors.ustc.edu.cn/kali/dists/kali-rolling/可以看3类软件包

image-20240823160741844

编辑kali源地址:

sudo vi /etc/apt/sources.list

在这里贴上几个国内的kali源地址:

从下面的源内选择一个复制下来准备粘贴进去(都是优质源,复制哪个都可以)。

中科大Kali镜像源

deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib


阿里云Kali镜像源

deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib

清华大学Kali镜像源

deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free

问题解决步骤

尝试下载数字签名后导入,再次尝试跟新后还是显示签名失效。

wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

或者更新最新的GPG密钥:
wget -q -O - https://archive.kali.org/archive-key.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/kali.gpg > /dev/null

image-20240823161010034

执行apt-key list后查看key的过期时间,发现也没有问题。

image-20240823161125834

image-20240823161138098

多方搜索无果后,我决定静下心来认真阅读一下kali中提供的文档,根据上面的提示,我查看了apt-secure(8)——>命令man 8 apt-secure

DESCRIPTION
       Starting with version 0.6, APT contains code that does signature
       checking of the Release file for all repositories. This ensures that
       data like packages in the archive can't be modified by people who have
       no access to the Release file signing key. Starting with version 1.1
       APT requires repositories to provide recent authentication information
       for unimpeded usage of the repository. Since version 1.5 changes in the
       information contained in the Release file about the repository need to
       be confirmed before APT continues to apply updates from this
       repository.

       Note: All APT-based package management front-ends like apt-get(8),
       aptitude(8) and synaptic(8) support this authentication feature, so
       this manpage uses APT to refer to them all for simplicity only.

首先阅读一下apt-secure的描述,读完之后我们可以知道,之所以一直更新不成功,是因为没有签名或者是有签名但是apt没有对应的key的package是不被信任的,安全起见,默认是不会采用这种源来进行更新的

继续往下阅读

UNSIGNED REPOSITORIES
       If an archive has an unsigned Release file or no Release file at all
       current APT versions will refuse to download data from them by default
       in update operations and even if forced to download front-ends like
       apt-get(8) will require explicit confirmation if an installation
       request includes a package from such an unauthenticated archive.

       You can force all APT clients to raise only warnings by setting the
       configuration option Acquire::AllowInsecureRepositories to true.
       Individual repositories can also be allowed to be insecure via the
       sources.list(5) option allow-insecure=yes. Note that insecure
       repositories are strongly discouraged and all options to force apt to
       continue supporting them will eventually be removed. Users also have
       the Trusted option available to disable even the warnings, but be sure
       to understand the implications as detailed in sources.list(5).

第二段的标题正是没有签名的仓库,这正是我们需要的说明 You can force all APT clients to raise only warnings by setting the configuration option Acquire::AllowInsecureRepositories to true. 这句话就是解决问题的关键,虽然国内的源没有签名,或者签名过期(失效),但是我们可以强制apt进行更新,忽略仓库的安全性,而想要达到这个目的,我们就需要对APT的配置文件进行修改 我搜索了apt.conf这个关键字,但相关网页都是英文的,硬着头皮读完之后发现我的kali中并没有apt.conf文件,在我的/etc/apt目录下,只有一个apt.conf.d目录,cd进该目录:

image-20240823161550107

那么多配置文件,我也不知道到底该改哪一个,然后又去百度了一会儿,看到了这篇文章 https://wiki.debian.org/AptConf 然后我就抱着试一试的心态打开了70debconf文件,按照前面man文档的指导,在里面输入了Acquire::AllowInsecureRepositories “true”; 然后执行apt-config dump,查看apt的对应配置有无生效

image-20240823161620872

Acquire::AllowInsecureRepositories的属性值由最初的”0″变成了”true” 说明更改配置成功,
再次编辑源文件sudo vi /etc/apt/sources.list
输入以下官方源

deb http://http.kali.org/kali kali-rolling main contrib non-free

deb http://old.kali.org/kali sana main non-free contrib

### 或者浙江大学源

deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free

deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free

执行apt-get update成功显示出了软件更新包。

image-20240823161757329

至此,问题成功解决。再次执行sudo apt-get upgrade更新kali系统就可以了。

如果还是不能更新的话,尝试注释掉/etc/apt/sources.list.d下文件中的所有内容,再尝试update更新
asdsade