Opened at 2010-05-24T13:58:42Z
Closed at 2010-05-27T23:20:54Z
#621 closed enhancement (fixed)
use apt-secure for .deb repo
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | BitlBee | Version: | |
| Keywords: | Cc: | ||
| IRC client+version: | Client-independent | Operating System: | Linux |
| OS version/distro: | Debian-based |
Description
The archive http://code.bitlbee.org/debian/ has no OpenPGP signature.
From man apt-secure(8):
If a package comes from a archive without a signature or with a signature that apt does not have a key for that package is considered untrusted and installing it will result in a big warning. apt-get will currently only warn for unsigned archives, future releases might force all sources to be verified before downloading packages from them.
Fortunately, it also provides a solution :)
ARCHIVE CONFIGURATION
If you want to provide archive signatures in an archive under your maintenance you have to:
- Create a toplevel Release file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils).
- Sign it. You can do this by running gpg -abs -o Release.gpg Release.
- Publish the key fingerprint, that way your users will know what key they need to import in order to authenticate the files in the archive.
Whenever the contents of the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps previously outlined.
Attachments (0)
Change History (2)
comment:1 Changed at 2010-05-26T11:04:41Z by
comment:2 Changed at 2010-05-27T23:20:54Z by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Done.
Signing key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQGiBEv++B4RBACR8PCXpBRByIPMY2DxbqUP8LfVNRfgg7X2P4Z0e+zeYHujB0hJ P6vOW/QmeYSuDzFVH3oOJsC+kaTExf2Rl0/Bm3X4GRkw6XJME/3HR7P0rNCCvqgD QYOlhmP4qYEi0z6q9WslhqeYzilB/opsQTR/11zUjw5TGp1P/4rcCa0/6wCg87c/ BOP6XR64zQBD5rBcCzNeL0cD/iFE97JFAYIRHOiYjpgq0/pZ/PoMrULpiyq6+BPo 8YdcuRYdFYDC5Ghmmk0VDIf5knDdsSIA5+tJTHTiKpuHZ7JKx3aJ/HzuAHlG3RaV eLTl0HvkxWis/ORsjyvztlVtbHy0vVVRaWriVq76MicpdIqY1tcRvmm38j7X+Ois mcO1A/wNYgJyr0pHvj52T2iosKUHu2TFqVf9sWV0n+kFI1g/aG4oHWbevcrsnbtW +3t80BNbWAA5zlN6Bdv1MRrFJzogyJK5ao1/Y2uF4wvD64EEKgA91riHKnOSuKo2 wCccja/CqLovaAN6dvNQ5OapuH+xuc+4IsPxPNCOUQ4TL0V6vbQ9Qml0bEJlZSBu aWdodGx5IGJ1aWxkcyAuZGVicyBzaWduaW5nIGtleSA8YnVpbGRkQGJpdGxiZWUu b3JnPohmBBMRAgAmBQJL/vgeAhsDBQkDwmcABgsJCAcDAgQVAggDBBYCAwECHgEC F4AACgkQlO6h8sflBDZeaACfdSPK318+gnHjvFjNf0jEdomEnooAn0O5FizmFHny PBaPjwdPZ6YyRfK5iEYEEBECAAYFAkv++0YACgkQeYWXmuMwQFExdQCdHbhFwQJ4 4HUdjxPZlPOt3iH9MZ8AoKm88QvS4dCuYmMt9KZ6oDKyCD5l =Ktl0 -----END PGP PUBLIC KEY BLOCK-----
To add some kind of reliability (this site is not SSL after all) I signed it using my own personal key, which is pretty strong. I'll put it somewhere on the site as well at some point.
Without this, apt-get --yes doesn't work, and one really does not want to use --force-yes.