?

Log in

 
 
11 February 2011 @ 05:21 pm
distributing your debian repo signing key within package  
After successful creation of own repository with Debian packages, one may face the problem of apt blaming that repo like:

W: GPG error: http://repo.coolcold.org lenny-coolcold Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 25102036038088B3
and

WARNING: The following packages cannot be authenticated!

Puppet gonna be sad too and will complain it can't install packages.

So, admin should place repo public key on servers where that repo is used. This may be achieved in several ways, like downloading key and doing apt-key filename on it, but "true" one is to put the key in package, like debian-backports-keyring did.

Let's assume you already have repo with signing turned on & generated gpg keys, if not, reread article.
Skeleton for package can be taken from my github public repo . The magic behind it is simple - place key into usr/share/keyrings/ and execute

/usr/bin/apt-key add /usr/share/keyrings/yourkeyname.key
on postinstall, don't forget to remove key on uninstall:

/usr/bin/apt-key del 038088B3

If everything goes fine, you should see your key with command:


ngxtest:/tmp# gpg --keyring /etc/apt/trusted.gpg --trustdb-name /etc/apt/trustdb.gpg --list-keys
/etc/apt/trusted.gpg
--------------------
pub 1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
uid Lenny Stable Release Key <debian-release@lists.debian.org>

pub 4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
uid Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>

pub 2048R/6D849617 2009-01-24 [expires: 2013-01-23]
uid Debian-Volatile Archive Automatic Signing Key (5.0/lenny)

pub 1024D/16BA136C 2005-08-21
uid Backports.org Archive Key <ftp-master@backports.org>
sub 2048g/5B82CECE 2005-08-21

pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
uid Squeeze Stable Release Key <debian-release@lists.debian.org>

pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

pub 1024D/038088B3 2008-09-27
uid Roman Ovchinnikov (coolcold's debian repo key) <coolthecold@gmail.com>
sub 2048g/7C5857D3 2008-09-27