Opened 12 years ago

Last modified 5 years ago

#18 assigned enhancement

Investigate adding key signing to debian packages

Reported by: Victor Julien Owned by: Adi Kriegisch
Priority: major Milestone: undecided
Component: autobuilder Version:
Keywords: Cc:

Description

To prevent this message:

WARNING: The following packages cannot be authenticated!

libvuurmuur vuurmuur vuurmuur-conf

Install these packages without verification [y/N]? y

Change History (3)

comment:1 Changed 12 years ago by Victor Julien

Summary: Invesitgate adding key signing to debian packagesInvestigate adding key signing to debian packages

comment:2 Changed 11 years ago by Adi Kriegisch

Status: newassigned

for more information on this take a look at http://wiki.debian.org/SecureApt and inspect the debian-archive-keyring package. The most feasible way to deal with that could be to create our own package: vuurmuur-archive-keyring

Further investigation needed!

comment:3 Changed 5 years ago by Adi Kriegisch

  • package signing will happen "automagically" during the build process when the user running the build has a pgp key in ~/.gnupg directory matching the email address in the latest changelog entry.
  • Repository signing involves running 'apt-ftparchive release . > Release' in /path/to/repo/dists/wheezy and 'gpg -abs -o Release.gpg Release' with the very same key.
  • The key itself needs to be available only (web page, key server, debian package, ...)

So, the next steps are:

  • create a pgp key (either for victor@… or vuurmuur@… or even for more people acting as release masters)
  • copy the key to the build servers and
  • do a new release (like 0.8-rc2)
Note: See TracTickets for help on using tickets.