Adding a PPA’s key to Ubuntu

Last month I mentioned that we were generating a unique key for each Personal Package Archive.

Well, that’s complete meaning each PPA now has its own key that’s used to sign its packages. And if you create a new PPA, Launchpad will generate a new key for it within a couple of hours.

This means that you now need to add the PPA’s key to apt before you install any of its packages. It’s really easy: all you need to do is copy the PPA’s public key and import it using System->Administration->Software Sources and then the Authentication tab.

Here’s a screencast that takes you through the steps:

(Higher quality Ogg Theora version)

Of course, you can also do it in the terminal. There’s more on the PPA help page.

Note: the PPA keys help you see that the package hasn’t been altered since Launchpad built it on behalf of the PPA owner. It does not mean that Launchpad, Ubuntu or Canonical endorse the packages. You should ensure you trust the PPA owner before you install their software.

31 Responses to “Adding a PPA’s key to Ubuntu”

  1. Martin Hooper Says:

    How do you do it on a server? I have a hardy server with a PPA that does not have a key installed.


  2. Matthew Revell Says:

    @Martin: As I say above, you can find instructions for doing this in a terminal on the PPA help page —

  3. Dominic Evans Says:

    Matthew, what software did you use to record the screencast? I noticed you used ffmpeg2theora to produce the .ogv, just wondered what was used initially as I’m looking for an alternative to recordmydesktop.

  4. Jonathan Says:

    I still feel like adding the key should be made easier. I opened a brainstorm topic about this the other day:

  5. Vadim P. Says:

    Just watched the screencast. I was hoping I could provide it as the install instructions for users, but it seems to be too gnome-do specific – because if the user isn’t installing gnome-do, they wouldn’t quite know what package to search for.


  6. Matthew Revell Says:

    @Dominic: I’m going to write a blog post on how I did it, but here’s the short version:

    1. Created an Intrepid instance in VirtualBox.
    2. Used gtk-recordmydesktop to record only the VirtualBox window.
    3. Create the intro and outro slides in OOo and recorded them using gtk-recordmydesktop.
    4. Import all three clips into Pitivi and exported them as a single ogv.
    5. Recorded the speech in Audacity while watching the screencast and exported it as a wav file.
    6. Converted the ogv to an avi using mencoder.
    7. Imported the avi and wav into avidemux, mashed them together and saved an avi.
    8. Used ffmpeg2theora to convert it back to an ogv.

    There may be an easier way but this worked for me. has another, similar, way of doing it.

  7. Matthew Revell Says:

    @Vadim I could record a generic “Install software from a PPA” screencast.

  8. Vadim P. Says:

    @Matthew: Please do! That would definitely help all projects.

  9. Launchpad News Says:

    [...] screencast shows how to add a PPA’s key to your [...]

  10. Kamil Páral Says:

    Adding a key is terribly difficult! How do you expect the user to manage all of this? Why is it not possible to simply download the key file? Why the user does have to go through “copy->open gedit->paste->save” procedure? Too complicated for beginners and too annoyingly tedious for experienced users.

    Please provide a way to download the key file.

  11. Gunni Says:

    I have the problem, that i cant connect to the keyserver here. Maybe its because of a different port and i am behind my companies firewall here … not very good.
    So there seems to be no way to use the ppas easy.

  12. M Henri Day Says:

    Using the PPA Help page to which a link is provided above, I managed to import a key using the terminal and thus no longer encounter that annoying error message. Splendid ! However, I first tried to follow the steps in the video to import a key using the GUI, but failed, for the simple reason that I couldn’t locate one for Intrepid. I found myself unable to find the so-called «key fingerprint» for Intrepid on the PPA overview page – could someone kindly provide me with a link and direct me to where I am to look ?…


  13. savvas Says:

    If you need a tool to fix ppa links and get all your keys and import them automatically, try this perl script:

  14. vbzir Says:

    what a bunch of useless complication…..

  15. teo Says:

    “# vbzir Says:
    February 23rd, 2009 at 1:34 pm

    what a bunch of useless complication…..

    i totally AGREE..

    what a bunch of geeky dumbness..

  16. TomkoKubianca Says:

    “what a bunch of useless complication…..”

    You’ve got my vote too!

    I’ve tried to do this on three different occasions and it hasn’t worked yet.

    Step 1 : simply type in the web site for Gnome Do Core (which is illegible on the screen so you have to google just to find the address). I’ve waited for about 20 minutes to a half an hour for the page to load but it never does.

    Like someone said above, it’s Gnome-do specific so what’s the point?

    What a complete waste of time and energy. I don’t like the idea of using a script like the one provided by savvas, but it’s either that or just remove the repository to eliminate the update error and save myself grief.

    Has anyone tried the the script provided by savvas?

  17. Anon Says:

    Does not work. I am unable to connect to the keyservers listed on the PPA pages. Several of my repositories have not been able to update for several weeks. Even the scripts I downloaded were unable to do so. Is there a special way to download the key files?

  18. Anon Says:

    This is part of the output from the terminal after running the script in the link above.
    Does anyone know how to fix this?

    Will retrieve keys for: tualatrix do-core c-korn banshee-team shutter globalmenu-team
    Attempting to get Launchpad key for tualatrix:
    Found key: 0624A220
    Adding 0624A220 to your username’s gpg
    gpg: requesting key 0624A220 from hkp server
    gpg: keyserver timed out
    gpg: keyserver receive failed: keyserver error
    system gpg –keyserver –recv-keys 0624A220 failed: 512
    Adding key to apt
    INFO: Enter your administrator password if asked

    gpg: WARNING: nothing exported

  19. Zeke Krahlin Says:

    Hello. I really want badly to get off the Windoze merry-go-round. Installed eeebuntu-NBR on my Asus eee PC 1000HA a few days ago, then tried to update. I can’t! Discovered this page in my search for an answer. NO WAY am I gonna mess with these ridiculous instructions…for as another poster said, this just ain’t right, especially for newbies. And I’m a newbie! I though Windoze was painful to maintain, but this claptrap…horrendous. I may have NO choice but to resume stupid Windoze…how very disappointing.

  20. Zeke Krahlin Says:

    So, I still can’t even view or download the video…very slow to download, a half hour now. Hmmm…and it probably won’t really be a help. What about just getting rid of the launcher? Would I then be able to update, and finally have Ubuntu running securely? I like launcher, but what they did to new users is inexcusable, so: screw ‘em.

  21. Zeke Krahlin Says:

    This afternoon I followed the video instruction to a tee (very, very carefully), all proceded exactly as the video showed (I got my distro Intrepid Ibex from the drop-down list, etc.), but:

    when I reload the Package Manager, I still get an error:

    W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: intrepid Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 3F2A5EE4B796B6FE

    W: Failed to fetch

    W: Some index files failed to download, they have been ignored, or old ones used instead.

    But I still could install those two gnome-do packages, as a test. So what’s goin’ on? I’m a Linux newbie, be gentoo. :b

  22. trampster Says:

    Using PPA’s should be way simpler.

    A new file format should be created which contains the PPA location plus the key

    Workflow should be:
    1. Download PPA file from internet
    2. Double click PPA file.
    3. Supply root password

  23. Jay Says:

    why do the PPA keys go bad so frequently ? I have several PPA repos on my sources.lst. I can count on getting a synaptic update error at least once a month where a previously perfect repository setup now needs me to go hunting for a NEW key to keep it working. Kind of a hassle. What’s up ?

  24. Peter Says:

    Right I was working through this and a more general way in which to do this is as follows (I’m going to us SMPlayer as my example):

    The SMPlayer PPA is located at:

    First we add it to the package manager as in the screen cast above in the Third Party tab. Next we are going to deal with getting the key. On that page there is a link called “Technical details about this PPA” which we click to bring up the “Signing Key” which is what we are going to need to use to search for the key we need for SMPlayer.

    At the time of writing its: 1024R/E4A4F4F4

    For the search we’ll only be interested in the part after the forward slash e.g. E4A4F4F4. Next we go to and search for “0xE4A4F4F4″ (without the quotes obviously). This will bring up the link to the PGP key we are looking for and by clicking it we get our PGP key, which we can then add to our authenticated sources list as per the screen cast above. Then just do the same steps as done in the screen cast.

  25. Bill C Says:

    Two points:

    First: The apt folks need to provide some guidance here on website wording. How should a website identify where the text string you need to enter for the server is, and of course also how should it identify where the text for this key file is. If you can’t find them on the groups web site, you’re stuck. And linux people are genuine idiot savants when it comes to making things easy to find. A little bit of standardization would really help out here.

    Second: Apt can install keys, all by itself, already. Whole boat loads of keys can be embedded in packages and distributed by clicking. NONE of this shtuff is necessary unless you want a ppa key from a group that’s illegal where you live (or more importantly where Canonical lives.)

    But they only have one (count ‘em one) file you can down load with keys. It’s called the Ubuntu key ring. But “Ubuntu and Canonical don’t endorse… yada yada yada…” For external groups, including folks like Gnome and launch-pad, you’ve got to go through this stuff.

    They could stick a series of packages, say all named beginning with ‘not-endorsed-by-Ubuntu-danger-danger-danger’, and containing the keys of other groups verified by the original ubuntu-keyring. But that would expose them, and all the assets of Canonical, to liability from anything those grouups do. Like distributing proprietary audio and video codecs, or non-public domain windows fonts required by some software,

    So the straightforward very easy, and very safe method is not available.

    Easy methods have the danger of being used by idiots, or just by regular people in a hurry without thinking. Once an apt package is being installed using apt with root privileges (and no other option is given… bad apt, bad rpm) it can do ANYTHING. It can install a whole new kernel, a whole new operating system, write anything anywhere it wants. There is no sandbox. From something you find on the …web?

    But being difficult doesn’t make it any safer, it just gives you time to think twice.

    This system is fundamentally broken.

  26. Glenn Says:

    for the folks who’ve read this far down… and are new to this..

    I have been futzing with Wubi.exe..

    I have concluded that It is a very polished package.. It would appear; that many of the issues brought to my attention regarding CD install- like the “patch” problem which may well not be in the “readme”..of ubuntu 10.04

    The killer for me was the loss of wubi entry in windows boot manager; using bcdedit; will let you see the entries so you can make a copy of that wubi entry so should the win boot manager have a problem you can restore the entry without completely re-installing wubi.. or you can do the cd install :-)))

    relevance; this public key problem did not show up for me??? using it now; don’t know if it’s shown up?

  27. tony Says:

    I found a simple way to get through a corporate firewall and use port 80 instead of the default 11371 which is usually blocked.

  28. Roy Says:

    I give up, the GEEKDOM EMPIRE has won. I have spend 3O mins trying to get a key for the ppa. No luck.

    Is it too much to ask for a SIMPLE (i.e for noobs and average users and excluding geeks etc) PROCEDURE for getting a key for the launchpad ppa.

    I’ve been using Ubuntu for 6 years and launchpad is far and away the most obfuscating site I’ve encountered.

    Will anything be done? I doubt it (and to be frank, I don’t care)

  29. Martin Pool Says:

    @Roy, this is a fairly old post. It’s easy to add a ppa now, including getting the key:

    sudo add-apt-archive ppa:bzr

    see also

  30. razor Says:

    I have a java project in launchpad (don’t know bzr much than 5 min tutorial). I can create jar files for that project, which I want to add to Downloads. How can I do it. It is not standard packaging, so adding a ppa would not be a solution (which I guess).

  31. ubuntu updater not working Says:

    [...] Looks like they might have made some changes to the repo or you did not install the key.…-key-to-ubuntu [...]

Leave a Reply