Opened 16 years ago

Last modified 9 years ago

#18 assigned enhancement

Investigate adding key signing to debian packages

Reported by: Victor Julien Owned by: Adi Kriegisch
Priority: major Milestone: undecided
Component: autobuilder Version:
Keywords: Cc:


To prevent this message:

WARNING: The following packages cannot be authenticated!

libvuurmuur vuurmuur vuurmuur-conf

Install these packages without verification [y/N]? y

Change History (3)

comment:1 by Victor Julien, 16 years ago

Summary: Invesitgate adding key signing to debian packagesInvestigate adding key signing to debian packages

comment:2 by Adi Kriegisch, 16 years ago

Status: newassigned

for more information on this take a look at and inspect the debian-archive-keyring package. The most feasible way to deal with that could be to create our own package: vuurmuur-archive-keyring

Further investigation needed!

comment:3 by Adi Kriegisch, 9 years ago

  • package signing will happen "automagically" during the build process when the user running the build has a pgp key in ~/.gnupg directory matching the email address in the latest changelog entry.
  • Repository signing involves running 'apt-ftparchive release . > Release' in /path/to/repo/dists/wheezy and 'gpg -abs -o Release.gpg Release' with the very same key.
  • The key itself needs to be available only (web page, key server, debian package, ...)

So, the next steps are:

  • create a pgp key (either for victor@… or vuurmuur@… or even for more people acting as release masters)
  • copy the key to the build servers and
  • do a new release (like 0.8-rc2)
Note: See TracTickets for help on using tickets.