Opened 16 years ago
Last modified 9 years ago
#18 assigned enhancement
Investigate adding key signing to debian packages
| Reported by: | Victor Julien | Owned by: | Adi Kriegisch |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | autobuilder | Version: | |
| Keywords: | Cc: |
Description
To prevent this message:
WARNING: The following packages cannot be authenticated!
libvuurmuur vuurmuur vuurmuur-conf
Install these packages without verification [y/N]? y
Change History (3)
comment:1 by , 16 years ago
| Summary: | Invesitgate adding key signing to debian packages → Investigate adding key signing to debian packages |
|---|
comment:2 by , 16 years ago
| Status: | new → assigned |
|---|
comment:3 by , 9 years ago
- package signing will happen "automagically" during the build process when the user running the build has a pgp key in ~/.gnupg directory matching the email address in the latest changelog entry.
- Repository signing involves running 'apt-ftparchive release . > Release' in /path/to/repo/dists/wheezy and 'gpg -abs -o Release.gpg Release' with the very same key.
- The key itself needs to be available only (web page, key server, debian package, ...)
So, the next steps are:
- create a pgp key (either for victor@… or vuurmuur@… or even for more people acting as release masters)
- copy the key to the build servers and
- do a new release (like 0.8-rc2)
Note:
See TracTickets
for help on using tickets.
for more information on this take a look at http://wiki.debian.org/SecureApt and inspect the debian-archive-keyring package. The most feasible way to deal with that could be to create our own package: vuurmuur-archive-keyring
Further investigation needed!