Репозитории в kali
Здравствуйте! Недавно поставил новый kali linux. Не могу поставить ни один пакет через apt: все время пишет not found. Вот sources.list:
Ахтунг! Мамкины кулхацкеры!
А вообще, APT тебе выдал ошибку. Можешь запустить его с английской локалью, пусть напишет на английском проблему, которую ты можешь загуглить. LC_ALL=C apt update.
Любым удобным способом получаете файл по ссылке https://archive.kali.org/archive-key.asc
Затем вводите терминале:
«apt-key add» и путь к файлу archive.key-asc
Большое спасибо) Все работает.
Благодарность
Столкнулся с такой же проблемой как у топикстартера. Решение просто и лаконично. + в карму.
а мог и свинку подложить с левым репозиторием и ведь приняли бы
та же проблема, но предложенный способ не работает((
root@Xiaomi:/mnt/c/Users/tiuga# apt-key add archive.key-asc E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
Для этого мне пришлось бы стать владельцем домена разработчиков Kali linux. Если бы домен был моим, кто-нибудь уже на форуме поднял бы тревогу.
gnupg отсутствует в системе. Я даже не могу представить, как это могло получиться, но это поправимо, если, конечно, из системы больше нечего другого не исчезло. Сейчас я пишу с телефона, так что дать подробные инструкции не могу. Самый простой вариант — скачать пакеты с gnupg и его зависимостями из репозитория вручную, а затем установить их с помощью команды «dpkg -i путь_к_deb_файлу» . Сами пакеты можно найти по адресу https://archive.kali.org/kali/pool/
Полагаю, нужные пакеты вы сможете найти самостоятельно по названиям. gnupg должен быть в категории main.
благодарю, а то установка через сеть не проходит, там очень много пакетов, мне все подряд ставить?
Если вы имеете в виду пакеты gnupg, то необходимо выбрать пакеты под вашу систему. Например, если вы используете обычный 64 битный дистрибутив (не для arm процессоров), то вас интересуют пакеты, название которых заканчивается на amd64. Возможно, в процессе установки вас попросят установить какие-нибудь другие пакеты, от которых зависит устанавливаемая программа — тогда придется сначала скачать и установить их.
требует пакет dpkg: dependency problems prevent configuration of gnupg1: gnupg1 depends on libcurl3-gnutls (>= 7.16.2); however: Package libcurl3-gnutls is not installed.
dpkg: error processing package gnupg1 (—install): dependency problems — leaving unconfigured Errors were encountered while processing: gnupg1
libcurl3-gnutls а я чет нигде не могу найти его
ответ
https://hackware.ru/?p=4692 выполнить две команды и будет вам счастье.
Столкнулся с такой же проблемой. Установка archive.key-asc помогла, спасибо. Но начались проблеммы я полагаю с репозиторием при установке privoxy. Помогите пожалуйста решить проблему.
# apt-get install tor privoxy
Reading package lists. Done Building dependency tree Reading state information. Done The following additional packages will be installed: doc-base libuuid-perl libyaml-tiny-perl libzstd1 tor-geoipdb torsocks Suggested packages: rarian-compat mixmaster torbrowser-launcher tor-arm apparmor-utils obfsproxy obfs4proxy The following NEW packages will be installed: doc-base libuuid-perl libyaml-tiny-perl libzstd1 privoxy tor tor-geoipdb torsocks 0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded. Need to get 3,513 kB/3,736 kB of archives. After this operation, 14.6 MB of additional disk space will be used. Do you want to continue? [Y/n]
Источник
Kali linux repository gpg
In this walkthrough we will be explaining certain things that are only on a VM. It is your choice if you want to install a full Kali system (or if you already have one, if you want to use it) or if you want to use a VM, however keep in mind what commands you’re entering if it is an install.
Setting up the VM
It’s important to set up a development environment. The easiest way to go about this is to set up a VM with the latest Kali image and give it a large filesystem. 80GB+ is good for a few packages at a time, however 150GB+ is recommended if you are using mr to download all packaging repositories. Likely, you will not need all of the packages to be downloaded.
Installing packages
We will install tools that we will use later for packaging. packaging-dev is a metapackage, and will install many of the proper packages that are needed.
User accounts and keys
Packaging needs to be done on a non-root user with sudo privileges. The default Kali user is suitable for this.
you must log out of your account and switch to the new user (rather than using su ). This is done as some pieces (such as variables that are set) of the following setup require you to be on that account, su will not work.
Next, we should generate SSH and GPG keys. These are important for packaging as they will allow us to access our files on GitLab easily and ensure the work is ours. This step is not always necessary, however it is helpful in certain cases. You will know if you need to set up a GPG key, however we recommend setting up an SSH key as it will make the packaging process quicker.
Please remember to change “First Last email@domain.com” to be your name and email.
The next step is to add the SSH key to your GitLab account. This can be done in the keys section. Run the commands below to put the key in the copy-paste buffer and paste it on GitLab’s web page.
Setting up files
We now need to set up git-buildpackage/ gbp buildpackage .
Be sure to replace email@domain.com with your email, and ensure it is the same one used with your GPG key, if that was setup.
We enable pristine-tar by default as we will use this tool to (efficiently) store a copy of the upstream tarball in the Git repository. We also set export-dir so that package builds happen outside of the git checkout directory.
Below, we’re customizing some useful tools provided by the devscripts package:
Be sure to put your own key id in DEBSIGN_KEYID . In this example we can see from gpg — k that our key is ABC123DE45678F90123G4567HIJK890LM12345N6
You may also want to add the following to your git config:
The user.name and user.email must match your gpg key details ( gpg -k ) or you will get a “Secret Key Not Available” error later on:
We also want to enable a new git merge driver:
sbuild
We also will need to set up sbuild. Although this isn’t too difficult, it does require some extra setup.
Once that is done, we need to edit /etc/schroot/chroot.d/kali-dev-amd64-sbuild* , note that “*” is used as it will generate the last bit randomly. Alternatively, use TAB auto-completion.
Finally, we just need to add our user to the group and do one last change.
apt-cacher-ng
When building a package with a sbuild, a lot of time (and bandwidth) is spent downloading the build dependencies. To speed up this step, it’s possible to use a caching proxy, such as apt-cacher-ng.
Check the version that was installed. If it’s below 0.6.1-1 , Kali is not supported out of the box, and there’s a little config to do:
In the snippet above, note that:
- the file kali_mirrors lists all the mirrors for which apt-cacher-ng will cache the requests. In this list, there should be at least the mirror that you used with the command sbuild-createchroot above.
- the file backends_kali lists the mirror that apt-cacher-ng will actually use to download packages. You should set it to a mirror that is close to you.
Finally, we just need to add a line of configuration inside our chroot, so that apt is configured to use the proxy.
In order to make sure that everything works, there’s a few things you can do:
- run tail -f /var/log/apt-cacher-ng/apt-cacher.log while you run build a package with sbuild.
- check that the directory /var/cache/apt-cacher-ng/klxrep/ is being populated with packages.
Updated on: 2021-Sep-27
Author: gamb1t
Источник
Kali linux repository gpg
IMPORTANT! Never download Kali Linux images from anywhere other than the official sources.
Always be sure to verify the SHA256 checksums of the file you’ve downloaded against our official values.
It would be easy for a malicious entity to modify a Kali installation to contain exploits or malware and host it unofficially.
Where to Get Official Kali Linux Images
ISO Files for Intel-based PCs
In order to run Kali “Live” from a USB drive on standard Windows and Apple PCs, you’ll need a Kali Linux bootable ISO image, in either 32-bit or 64-bit format.
If you’re not sure of the architecture of the system you want to run Kali on, on Linux or macOS, you can run the command uname -m at the command line. If you get the response, “x86_64”, use the 64-bit ISO image (the one containing “amd64” in the file name); if you get “i386”, use the 32-bit image (the one containing “i386” in the file name). If you’re on a Windows system, the procedure for determining whether your architecture is detailed on Microsoft’s website.
The Kali Linux images are available both as directly downloadable “.iso/.img” files or via “.torrent” files.
Building your own Kali Linux ISO, standard or customized, is a very simple process.
Virtual Machines Images
If you want to run Kali Linux as a “guest” under VMware or VirtualBox, Kali Linux is available as a pre-built virtual machines with any guest tools already installed. These image are available in a 64-bit (amd64), and 32-bit PAE (i*86) formats.
ARM Images
The hardware architectures of ARM-based devices vary considerably, so it is not possible to have a single image that will work across all of them. Pre-built Kali Linux images for the ARM architecture are available for a wide range of devices.
Scripts for building your own ARM images locally are also available on GitLab. For more details, see the articles on setting up an ARM cross-compilation environment and building a custom Kali Linux ARM chroot.
Verifying Your Downloaded Kali Image
Why do I need to do this?
Before you run Kali Linux Live, or install it to your hard disk, you want to be very sure that what you’ve got actually is Kali Linux, and not an imposter. Kali Linux is a professional penetration testing and forensics toolkit. As a professional penetration tester, having absolute confidence in the integrity of your tools is critical: if your tools are not trustworthy, your investigations will not be trustworthy, either.
Moreover, as the leading penetration testing distribution, Kali’s strengths mean that a bogus version of Kali Linux could do a tremendous amount of damage if it were deployed unwittingly. There are plenty of people with plenty of reason to want to stick very sketchy stuff into something that looks like Kali, and you absolutely do not want to find yourself running something like that.
Avoiding this is simple:
- Only download Kali Linux via the official download pages at kali.org/downloads/ or offensive-security.com/kali-linux-vmware-arm-image-download/ — you will not be able to browse to these pages without SSL; encrypting the connection makes it much harder for an attacker to use a “man-in-the-middle” attack to modify your download. There are a few potential weaknesses to even these sources — see the sections on verifying the download with the SHA256SUMS file and its signature against the official Kali Development team private key for something much closer to absolute assurance.
- Once you’ve downloaded an image, and before you run it, always validate that it really is what it’s supposed to be by verifying its checksum using one of the procedures detailed below.
There are several methods for verifying your download. Each provides a certain level of assurance, and involves a corresponding level of effort on your part.
- You can download an ISO image from an official Kali Linux “Downloads” mirror, calculate the ISO’s SHA256 hash and compare it by inspection with the value listed on the Kali Linux site. This is quick and easy, but potentially susceptible to subversion via a DNS poisoning: it assumes that the site to which, for example, the domain “kali.org” resolves is in fact the actual Kali Linux site. If it somehow were not, an attacker could present a “loaded” image and a matching SHA256 signature on the fake web page. See the section “Manually Verify the Signature on the ISO (Direct Download)”, below.
- You can download an ISO image through the torrents, and it will also pull down a file — unsigned — containing the calculated SHA256 signature. You can then use the shasum command (on Linux and macOS) or a utility (on Windows) to automatically verify that the file’s computed signature matches the signature in the secondary file. This is even easier than the “manual” method, but suffers from the same weakness: if the torrent you pulled down is not really Kali Linux, it could still have a good signature. See the section “Verify the Signature on the ISO Using the Included Signature File (Torrent Download)”, below.
- To be as close to absolutely certain as possible that the Kali Linux download you’ve obtained is the real thing, you can download both a cleartext signature file and and version of the same file that has been signed with the official Kali Linux private key and use GNU Privacy Guard (GPG) to first, verify that the computed SHA256 signature and the signature in the cleartext file match and second, verify that the signed version of the file containing the SHA256 hash has been correctly signed with the official key.
If you use this more complicated process and successfully validate your downloaded ISO, you can proceed with pretty complete assurance that what you’ve got is the official image and that it has not been tampered with in any way. This method, while the most complex, has the advantage of providing independent assurance of the integrity of the image. The only way this method can fail is if the official Kali Linux private key is not only subverted by an attacker, but also not subsequently revoked by the Kali Linux development team. For this method, see the section on verification using the SHA256SUMS file.
What do I need to do this?
If you’re running on Linux, you probably already have GPG (GNU Privacy Guard) installed. If you’re on Windows or macOS, you’ll need to install the appropriate version for your platform.
- If you’re on a PC running Windows, download and install GPG4Win from here. Certain versions of Windows do not have the native ability to calculate SHA256 checksums. To check this, you can open the command prompt and run certutil -? . If you do have this installed, you can run certutil -hashfile kali-linux-2021.3-live-amd64.iso sha256 to verify your download. If you do not have certutil installed, you will also need a utility such as Microsoft File Checksum Integrity Verifier or Hashtab to verify your download.
- If you’re on a Macintosh running macOS, download and install GPGTools from here. Alternatively, if you have Homebrew installed, just run brew install gnupg
Once you’ve installed GPG, you’ll need to download and import a copy of the Kali Linux official key. Do this with the following command:
Your output should look like this:
Verify that the key is properly installed with the command:
The output will look like this:
You’re now set up to validate your Kali Linux download.
How Do I Verify My Downloaded Image?
Manually Verify the Signature on the ISO (Direct Download)
If you downloaded the ISO directly from the downloads page, verify it using the following procedure.
On Linux, or macOS, you can generate the SHA256 checksum from the ISO image you’ve downloaded with the following command (assuming that the ISO image is named “kali-linux-2021.3-live-amd64.iso”, and is in your current directory):
The output should look like this:
The resulting SHA256 signature, “e316b27025922e9f6bca0cacee6dde83dbfd4a549ad18026526f5824af639fc1”, can be seen to match the signature displayed in the “sha256sum” column on the official download page for the 64-bit Intel architecture Kali Linux 2021.3 ISO image:
Verify the Signature on the ISO Using the Included Signature File (Torrent Download)
If you downloaded your copy of the Kali Linux ISO image via the torrents, in addition to the ISO file (e.g. kali-linux-2021.3-live-amd64.iso), there will be a second file containing the computed SHA256 signature for the ISO, with the extension “.txt.sha256sum” (e.g. kali-linux-2021.3-live-amd64.txt.sha256sum). You can use this file to verify the authenticity of your download on Linux or macOS with the following command:
If the image is successfully authenticated, the response will look like this:
IMPORTANT! If you are unable to verify the authenticity of the Kali Linux image you have downloaded as described in the preceding section, do NOT use it! Using it could endanger not only your own system, but any network you connect to as well as the other systems on that network. Stop, and ensure that you have downloaded the images from a legitimate Kali Linux mirror.
Verify the ISO Using the SHA256SUMS File
This is a more complex procedure, but offers a much higher level of validation: it does not rely on the integrity of the web site you downloaded the image from, only the official Kali Linux development team key that you install independently. To verify your image this way for an Intel architecture version of Kali, you will need to download three files from the Kali “Live CD Image” site for the current release (v2021.3, as of this writing):
- The ISO image itself (e.g. kali-linux-2021.3-live-amd64.iso)
- The file containing the calculated SHA256 hash for the ISO, SHA256SUMS
- The signed version of that file, SHA256SUMS.gpg
Before verifying the checksums of the image, you must ensure that the SHA256SUMS file is the one generated by Kali Linux. That’s why the file is signed by Kali’s official key with a detached signature in SHA256SUMS.gpg. If you have not already done so, Kali’s official key can be downloaded and imported into your keychain with this command:
or this command
Your output should look like this:
You should verify that the key is properly installed with the command:
The output will look like this:
Once you have downloaded both SHA256SUMS and SHA256SUMS.gpg, you can verify the signature as follows:
If you do not get that “Good signature” message or if the key ID does not match, then you should stop and review whether you downloaded the images from a legitimate Kali Linux mirror. The failed verification strongly suggests that the image you have may have been tampered with.
If you did get the “Good signature” response, you can now be assured that the checksum in the SHA256SUMS file was actually provided by the Kali Linux development team. All that remains to be done to complete the verification is to validate that the signature you compute from the ISO you’ve downloaded matches the one in the SHA256SUMS file. You can do that on Linux or macOS with the following command (assuming that the ISO is named “kali-linux-2021.3-live-amd64.iso” and is in your working directory):
If the image is successfully authenticated, the response will look like this:
If you do not get “OK” in response, then stop and review what’s happened: the Kali image you have has apparently been tampered with. Do NOT use it.
Once you’ve downloaded and verified your image, you can proceed to create a bootable “Kali Linux Live” USB drive.
Updated on: 2021-Sep-27
Authors: g0tmi1k , gamb1t
Источник
