Following Whonix documentation on Firmware Security and Updates.
Want to install spectre-meltdown-checker. Added buster-backports. Ran apt-get update. As update returned with an error, installed apt-transport-tor first. Ran update again. Still an error:
Err:9 tor+https://deb.debian.org/debian buster-backports InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
I tried to get the missing public key like so:
gpg --keyserver keyring.debian.org --recv-keys 0x04EE7237B7D453EC
but that results in error also: gpg: no valid OpenPGP data found.
So, how should I proceed given that I still want to install the meltdown checker and why do I get an error if I want to import the given public keys?
These instructions are for Debian hosts. If you are using Ubuntu you probably should not mix with Debian repositories. This would be very difficult and risk bricking the package management system. Rather, you need to follow steps for your distribution.
Updated just now. Use of backports no longer required.
Alright, have reapplied the updated instructions to install the meltdown checker. Flawless… I ran the checker and it seems - though the kernel does not support all defense mechanisms - I am still not vulnerable to the attacks mentioned… A quote in the command’s output: “A false sense of security is worse than no security at all”, a wise lesson I guess…
Hi rk1,
Same here, no vulnerabilities, even though some mitigations were not avail. I have since upgraded kernel, and microcode where applicable. There still is the hyperthreading / SMT warning, but that is my own choice. When hyperthreads are turned off, the warning disappears.
As far as mixing repositories between Ubuntu and Debian–bad things happened to my system once, and I never did it again. I learned that pretty much all packages can be compiled from source, converted to a .deb and installed with dpkg.
@anontor: though I have a background in programming, I certainly am not very (not in the least…) knowledgeable in systems-programming. Kind of stumble along all the instructions given. Ideally I would just want a plug-and-play OS, that is why I just used debian packages. Hope I will see the light once.