On Thu, Jul 05, 2012 at 12:09:44PM +0400, stalker@locum.ru wrote:
>
> I sign packet with debsign
> dpkg-sig --sign builder mytestpackage_1.2.3_amd64.deb
> and add my key to apt-key
>
> gpg --armor --export >/tmp/mykey
> and sudo apt-key add /tmp/mykey
>
> apt-key list show my key, but apt-get install mytestpackage show
> WARNING: The following packages cannot be authenticated!
>
> what i doing wrong?
You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.
Regards,
Roger
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705084619.GR4080@codelibre.net">http://lists.debian.org/20120705084619.GR4080@codelibre.net
07-05-2012, 11:50 AM
Ivan Shmakov
self signed repository
>>>>> Roger Leigh <rleigh@codelibre.net> writes:
>>>>> On Thu, Jul 05, 2012 at 12:09:44PM +0400, stalker@locum.ru wrote:
[…]
>> apt-key list show my key, but apt-get install mytestpackage show
>> WARNING: The following packages cannot be authenticated!
>> what i doing wrong?
> You also need the Release file in the apt repository signing.
> apt-get doesn't get check per-package signatures? Individual
> packages aren't signed by default; just the archive as a whole via
> the Release/InRelease files.
I've never used such a feature myself, but I believe that
mini-dinstall(1) can maintain a signed Release file (and thus
the repository.)
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 8662a2bf5w.fsf@gray.siamics.net">http://lists.debian.org/8662a2bf5w.fsf@gray.siamics.net
07-05-2012, 12:24 PM
Anton Gorlov
self signed repository
05.07.2012 12:46, Roger Leigh пишет:
You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.
On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:
> 05.07.2012 12:46, Roger Leigh пишет:
> >You also need the Release file in the apt repository signing.
> >apt-get doesn't get check per-package signatures? Individual
> >packages aren't signed by default; just the archive as a whole
> >via the Release/InRelease files.
> but
> apt-get update
> Ign file: squeeze Release.gpg
> Ign file:/opt/work/myrepo/ squeeze/main Translation-en
> Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
> Ign file: squeeze Release
> Ign file: squeeze/main amd64 Packages
> Ign file: squeeze/main amd64 Packages
> Reading package lists... Done
>
> What I doing wrong?
Not sure. If you want to have a look at a working example, take a
look at how sbuild does this in the sbuild sources in
lib/Sbuild/ResolverBase.pm
We run gpg by hand after creating the archive.
Regards,
Roger
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705124025.GU4080@codelibre.net">http://lists.debian.org/20120705124025.GU4080@codelibre.net
07-05-2012, 12:59 PM
Anton Gorlov
self signed repository
05.07.2012 16:40, Roger Leigh пишет:
On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:
05.07.2012 12:46, Roger Leigh пишет:
You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.
Not sure. If you want to have a look at a working example, take a
look at how sbuild does this in the sbuild sources in
lib/Sbuild/ResolverBase.pm
We run gpg by hand after creating the archive.
Hm. I try generate Release in top of tree
/opt/work/myrepo/dists/squeeze/
On Thu, Jul 05, 2012 at 04:59:05PM +0400, Anton Gorlov wrote:
> 05.07.2012 16:40, Roger Leigh пишет:
> >On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:
> >>05.07.2012 12:46, Roger Leigh пишет:
> >>>You also need the Release file in the apt repository signing.
> >>>apt-get doesn't get check per-package signatures? Individual
> >>>packages aren't signed by default; just the archive as a whole
> >>>via the Release/InRelease files.
>
> Hm. I try generate Release in top of tree
> /opt/work/myrepo/dists/squeeze/
>
> stalker@deb60-builder:/opt/work/myrepo/dists/squeeze$ cat Release
> main/binary-amd64/Packages.gz
> after sign
>
> apt-get update
> W: Failed to fetch file:/opt/work/myrepo/dists/squeeze/Release
> Unable to find expected entry main/binary-amd64/Packages in
> Meta-index file (malformed Release file?)
>
> E: Some index files failed to download, they have been ignored, or
> old ones used instead.
I think you might need both Packages and Packages.gz? Maybe
configure apt to only download .gz?
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705131832.GW4080@codelibre.net">http://lists.debian.org/20120705131832.GW4080@codelibre.net
self signed repository
