Modify

#621 closed enhancement (fixed)

use apt-secure for .deb repo

Reported by: ilf@… Owned by:
Priority: normal Milestone:
Component: BitlBee Version:
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro: Debian-based

Description

The archive http://code.bitlbee.org/debian/ has no OpenPGP signature.

From man apt-secure(8):

If a package comes from a archive without a signature or with a signature that apt does not have a key for that package is considered untrusted and installing it will result in a big warning. apt-get will currently only warn for unsigned archives, future releases might force all sources to be verified before downloading packages from them.

Fortunately, it also provides a solution :)

ARCHIVE CONFIGURATION

If you want to provide archive signatures in an archive under your maintenance you have to:

  • Create a toplevel Release file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils).
  • Sign it. You can do this by running gpg -abs -o Release.gpg Release.
  • Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.

Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.

Attachments (0)

Change History (2)

comment:1 Changed at 2010-05-26T11:04:41Z by ilf

Without this, apt-get --yes doesn't work, and one really does not want to use --force-yes.

comment:2 Changed at 2010-05-27T23:20:54Z by wilmer

Resolution: fixed
Status: newclosed

Done.

Signing key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQGiBEv++B4RBACR8PCXpBRByIPMY2DxbqUP8LfVNRfgg7X2P4Z0e+zeYHujB0hJ
P6vOW/QmeYSuDzFVH3oOJsC+kaTExf2Rl0/Bm3X4GRkw6XJME/3HR7P0rNCCvqgD
QYOlhmP4qYEi0z6q9WslhqeYzilB/opsQTR/11zUjw5TGp1P/4rcCa0/6wCg87c/
BOP6XR64zQBD5rBcCzNeL0cD/iFE97JFAYIRHOiYjpgq0/pZ/PoMrULpiyq6+BPo
8YdcuRYdFYDC5Ghmmk0VDIf5knDdsSIA5+tJTHTiKpuHZ7JKx3aJ/HzuAHlG3RaV
eLTl0HvkxWis/ORsjyvztlVtbHy0vVVRaWriVq76MicpdIqY1tcRvmm38j7X+Ois
mcO1A/wNYgJyr0pHvj52T2iosKUHu2TFqVf9sWV0n+kFI1g/aG4oHWbevcrsnbtW
+3t80BNbWAA5zlN6Bdv1MRrFJzogyJK5ao1/Y2uF4wvD64EEKgA91riHKnOSuKo2
wCccja/CqLovaAN6dvNQ5OapuH+xuc+4IsPxPNCOUQ4TL0V6vbQ9Qml0bEJlZSBu
aWdodGx5IGJ1aWxkcyAuZGVicyBzaWduaW5nIGtleSA8YnVpbGRkQGJpdGxiZWUu
b3JnPohmBBMRAgAmBQJL/vgeAhsDBQkDwmcABgsJCAcDAgQVAggDBBYCAwECHgEC
F4AACgkQlO6h8sflBDZeaACfdSPK318+gnHjvFjNf0jEdomEnooAn0O5FizmFHny
PBaPjwdPZ6YyRfK5iEYEEBECAAYFAkv++0YACgkQeYWXmuMwQFExdQCdHbhFwQJ4
4HUdjxPZlPOt3iH9MZ8AoKm88QvS4dCuYmMt9KZ6oDKyCD5l
=Ktl0
-----END PGP PUBLIC KEY BLOCK-----

To add some kind of reliability (this site is not SSL after all) I signed it using my own personal key, which is pretty strong. I'll put it somewhere on the site as well at some point.

Modify Ticket

Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.