FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-05-2012, 08:46 AM
Roger Leigh
 
Default self signed repository

On Thu, Jul 05, 2012 at 12:09:44PM +0400, stalker@locum.ru wrote:
>
> I sign packet with debsign
> dpkg-sig --sign builder mytestpackage_1.2.3_amd64.deb
> and add my key to apt-key
>
> gpg --armor --export >/tmp/mykey
> and sudo apt-key add /tmp/mykey
>
> apt-key list show my key, but apt-get install mytestpackage show
> WARNING: The following packages cannot be authenticated!
>
> what i doing wrong?

You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.


Regards,
Roger
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705084619.GR4080@codelibre.net">http://lists.debian.org/20120705084619.GR4080@codelibre.net
 
Old 07-05-2012, 11:50 AM
Ivan Shmakov
 
Default self signed repository

>>>>> Roger Leigh <rleigh@codelibre.net> writes:
>>>>> On Thu, Jul 05, 2012 at 12:09:44PM +0400, stalker@locum.ru wrote:

[…]

>> apt-key list show my key, but apt-get install mytestpackage show

>> WARNING: The following packages cannot be authenticated!

>> what i doing wrong?

> You also need the Release file in the apt repository signing.
> apt-get doesn't get check per-package signatures? Individual
> packages aren't signed by default; just the archive as a whole via
> the Release/InRelease files.

I've never used such a feature myself, but I believe that
mini-dinstall(1) can maintain a signed Release file (and thus
the repository.)

--
FSF associate member #7257


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 8662a2bf5w.fsf@gray.siamics.net">http://lists.debian.org/8662a2bf5w.fsf@gray.siamics.net
 
Old 07-05-2012, 12:24 PM
Anton Gorlov
 
Default self signed repository

05.07.2012 12:46, Roger Leigh пишет:

You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.


Hmm.
Ok. I try generate it file and sign it

#!/bin/bash
base='/opt/work/myrepo/dists/squeeze/main'

cd $base
apt-ftparchive release .
-o APT::FTPArchive::Release::Origin="stalker@locum.ru "
-o APT::FTPArchive::Release::Codename="squeeze" > $base/Release

and sign it by run
gpg -abs -o Release.gpg Release

but
apt-get update
Ign file: squeeze Release.gpg
Ign file:/opt/work/myrepo/ squeeze/main Translation-en
Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
Ign file: squeeze Release
Ign file: squeeze/main amd64 Packages
Ign file: squeeze/main amd64 Packages
Reading package lists... Done

What I doing wrong?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FF5876C.8090903@locum.ru">http://lists.debian.org/4FF5876C.8090903@locum.ru
 
Old 07-05-2012, 12:40 PM
Roger Leigh
 
Default self signed repository

On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:
> 05.07.2012 12:46, Roger Leigh пишет:
> >You also need the Release file in the apt repository signing.
> >apt-get doesn't get check per-package signatures? Individual
> >packages aren't signed by default; just the archive as a whole
> >via the Release/InRelease files.
> but
> apt-get update
> Ign file: squeeze Release.gpg
> Ign file:/opt/work/myrepo/ squeeze/main Translation-en
> Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
> Ign file: squeeze Release
> Ign file: squeeze/main amd64 Packages
> Ign file: squeeze/main amd64 Packages
> Reading package lists... Done
>
> What I doing wrong?

Not sure. If you want to have a look at a working example, take a
look at how sbuild does this in the sbuild sources in
lib/Sbuild/ResolverBase.pm
We run gpg by hand after creating the archive.


Regards,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705124025.GU4080@codelibre.net">http://lists.debian.org/20120705124025.GU4080@codelibre.net
 
Old 07-05-2012, 12:59 PM
Anton Gorlov
 
Default self signed repository

05.07.2012 16:40, Roger Leigh пишет:

On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:

05.07.2012 12:46, Roger Leigh пишет:

You also need the Release file in the apt repository signing.
apt-get doesn't get check per-package signatures? Individual
packages aren't signed by default; just the archive as a whole
via the Release/InRelease files.

but
apt-get update
Ign file: squeeze Release.gpg
Ign file:/opt/work/myrepo/ squeeze/main Translation-en
Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
Ign file: squeeze Release
Ign file: squeeze/main amd64 Packages
Ign file: squeeze/main amd64 Packages
Reading package lists... Done

What I doing wrong?

Not sure. If you want to have a look at a working example, take a
look at how sbuild does this in the sbuild sources in
lib/Sbuild/ResolverBase.pm
We run gpg by hand after creating the archive.




Hm. I try generate Release in top of tree
/opt/work/myrepo/dists/squeeze/

stalker@deb60-builder:/opt/work/myrepo/dists/squeeze$ cat Release
Codename: squeeze
Date: Thu, 05 Jul 2012 12:55:11 UTC
Origin: stalker@locum.ru
MD5Sum:
e3e2fab002699f5f8e86b9eb557314f9 754
main/binary-amd64/Packages.gz

SHA1:
f8c75eb4f23a78624c1858c6335fbcfc73e12aed 754
main/binary-amd64/Packages.gz

SHA256:
b9c6fafd16389d4e3bccf11a41609ec0285bd6c5393b96aaa8 786278d03fcf51 754
main/binary-amd64/Packages.gz



if not sign
apt-get update
Ign file: squeeze Release.gpg
Ign file:/opt/work/myrepo/ squeeze/main Translation-en
Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
Get:1 file: squeeze Release [384 B]
Ign file: squeeze/main amd64 Packages
Ign file: squeeze/main amd64 Packages
Reading package lists... Done

after sign

apt-get update
Ign file:/opt/work/myrepo/ squeeze/main Translation-en
Ign file:/opt/work/myrepo/ squeeze/main Translation-en_US
Get:1 file: squeeze Release.gpg [490 B]
Get:2 file: squeeze Release [384 B]
W: Failed to fetch file:/opt/work/myrepo/dists/squeeze/Release Unable to
find expected entry main/binary-amd64/Packages in Meta-index file
(malformed Release file?)


E: Some index files failed to download, they have been ignored, or old
ones used instead.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4FF58F99.6080908@locum.ru">http://lists.debian.org/4FF58F99.6080908@locum.ru
 
Old 07-05-2012, 01:18 PM
Roger Leigh
 
Default self signed repository

On Thu, Jul 05, 2012 at 04:59:05PM +0400, Anton Gorlov wrote:
> 05.07.2012 16:40, Roger Leigh пишет:
> >On Thu, Jul 05, 2012 at 04:24:12PM +0400, Anton Gorlov wrote:
> >>05.07.2012 12:46, Roger Leigh пишет:
> >>>You also need the Release file in the apt repository signing.
> >>>apt-get doesn't get check per-package signatures? Individual
> >>>packages aren't signed by default; just the archive as a whole
> >>>via the Release/InRelease files.
>
> Hm. I try generate Release in top of tree
> /opt/work/myrepo/dists/squeeze/
>
> stalker@deb60-builder:/opt/work/myrepo/dists/squeeze$ cat Release
> main/binary-amd64/Packages.gz

> after sign
>
> apt-get update
> W: Failed to fetch file:/opt/work/myrepo/dists/squeeze/Release
> Unable to find expected entry main/binary-amd64/Packages in
> Meta-index file (malformed Release file?)
>
> E: Some index files failed to download, they have been ignored, or
> old ones used instead.

I think you might need both Packages and Packages.gz? Maybe
configure apt to only download .gz?

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705131832.GW4080@codelibre.net">http://lists.debian.org/20120705131832.GW4080@codelibre.net
 

Thread Tools




All times are GMT. The time now is 04:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org