Opened 16 years ago
Last modified 9 years ago
#18 assigned enhancement
Investigate adding key signing to debian packages
|Reported by:||Victor Julien||Owned by:||Adi Kriegisch|
To prevent this message:
WARNING: The following packages cannot be authenticated!
libvuurmuur vuurmuur vuurmuur-conf
Install these packages without verification [y/N]? y
Change History (3)
comment:1 by , 16 years ago
|Summary:||Invesitgate adding key signing to debian packages → Investigate adding key signing to debian packages|
comment:2 by , 16 years ago
|Status:||new → assigned|
comment:3 by , 9 years ago
- package signing will happen "automagically" during the build process when the user running the build has a pgp key in ~/.gnupg directory matching the email address in the latest changelog entry.
- Repository signing involves running 'apt-ftparchive release . > Release' in /path/to/repo/dists/wheezy and 'gpg -abs -o Release.gpg Release' with the very same key.
- The key itself needs to be available only (web page, key server, debian package, ...)
So, the next steps are:
- create a pgp key (either for victor@… or vuurmuur@… or even for more people acting as release masters)
- copy the key to the build servers and
- do a new release (like 0.8-rc2)
Note: See TracTickets for help on using tickets.
for more information on this take a look at http://wiki.debian.org/SecureApt and inspect the debian-archive-keyring package. The most feasible way to deal with that could be to create our own package: vuurmuur-archive-keyring
Further investigation needed!