Accepting a security signature

Packages from a software source are typically signed by the project managing the repository or packages. This allows users to be sure a package signed with a security key is actually from the software source it claims to be.

For a package management infrastructure to operate effectively, it has to trust repositories so that updates can be downloaded and installed automatically. The other benefit is that signed packages can be installed without using the administrator password, assuming your admin has enabled this option.

Figure 10Example signature prompt

To trust a repository, you should verify the details of the signing key. Normally the best way to do this is to go to the web page of the software source, and try to find details about the key used to sign the packages. This is normally called a GPG key.

You should only proceed with this dialog if you are happy to trust packages from this software source.