Let's take as an example. If you click on 'Technical details about this PPA' you see:
Signing key:
4096R/7BB9C367
Fingerprint:
6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367If you try to add that software without adding the key you get
W: GPG error: trusty Release: The following signatures couldn't
be verified because the public key is not available: NO_PUBKEY 93C4A3FD7BB9C367When I do apt-key list I see 4096R/7BB9C367. To add the key I need to do apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367. And fingerprint doesn't seem to be mentioned anywhere.
What is the difference between all these values?
Why do I not need to to apt-key ... --recv-keys if adding the PPA but I need to if manually adding the line to /etc/apt/sources.list.d? How does PPA know that 93C4A3FD7BB9C367 is what it needs to use, where does it find this?
Bonus round: What is the difference between using a PPA vs just adding a line to /etc/apt/sources.list.d/? Where is this PPA thing 'hosted' that just adding ppa:ansible/ansible is enough to add that line to sources.list.d?
1 Answer
I'll start with your last question.
ppa:ansible/ansible is a special format that refers to Launchpad PPAs and can be used in Ubuntu and Ubuntu derivatives (at least). In terms of functionality, a PPA is just a regular repo. However, this exact format can't just be added into /etc/apt/sources.list, since apt doesn't recognize this format. Therefore, the URL to the repo has to be added. For example, the URL for ppa:teamName/archiveName is .
Typically, either Software Updater or the terminal is used to add a PPA. Software Updater recognizes the PPA syntax. In terminal, apt-add-repository recognizes the format and is typically used to add a PPA. This also gets the public key that is used to sign the repo. If, for some reason, it isn't able to, you'll get a similar warning that you got when running sudo apt-get update.
As for the fingerprint, the full fingerprint of a public-key is a 40-character alphanumeric representation of the public key. Launchpad shows the full 40 characters. However, typing or remembering 40 characters is difficult, especially when there are multiple public keys. Therefore, typically the last 8 or 16 characters are shown. apt is showing the last 16 characters of the fingerprint, and apt-key list (which uses gpg behind the scenes) is showing the last 8. The format to show in gpg can be configured.
