Re: reprepro signing.

2010-09-15 Thread David Kalnischkies 
2010/9/15 Jonathan Wiltshire :
> On Tue, Sep 14, 2010 at 08:42:08PM -0700, Russ Allbery wrote:
>> The conventional way to handle this is to build a Debian package that
>> installs the keyring and runs apt-key add, based off of packages like
>> debian-archive-keyring, and then have all clients install that package.
>
> Or drops the key into /etc/apt/trusted.gpg.d, which doesn't require
> additional handling.

But remember that you will need apt >= 0.7.25.1 to use it and
even apt >= 0.8.0 (or some 0.7.26~exp) if you use it with cds.
(i hate code copies…)


So if all your clients are >= squeeze everything will be fine,
otherwise (e.g. lenny) you will need to use apt-key magic…

For a bit more background, see #558784.


Best regards

David Kalnischkies


--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktim9bs2gh=tozavrvz0iq1b8wxahte4x+d3nk...@mail.gmail.com

Re: reprepro signing.

2010-09-15 Thread Russ Allbery 
Jonathan Wiltshire  writes:
> On Tue, Sep 14, 2010 at 08:42:08PM -0700, Russ Allbery wrote:

>> The conventional way to handle this is to build a Debian package that
>> installs the keyring and runs apt-key add, based off of packages like
>> debian-archive-keyring, and then have all clients install that package.

> Or drops the key into /etc/apt/trusted.gpg.d, which doesn't require
> additional handling.

Oh, hey.  Look at that.

Thanks!

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k4mnjtvj@windlord.stanford.edu

Re: reprepro signing.

2010-09-15 Thread Jonathan Wiltshire 
On Tue, Sep 14, 2010 at 08:42:08PM -0700, Russ Allbery wrote:
> The conventional way to handle this is to build a Debian package that
> installs the keyring and runs apt-key add, based off of packages like
> debian-archive-keyring, and then have all clients install that package.

Or drops the key into /etc/apt/trusted.gpg.d, which doesn't require
additional handling.

-- 
Jonathan Wiltshire

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


signature.asc
Description: Digital signature

Re: reprepro signing.

2010-09-14 Thread Russ Allbery 
Ignacio Valdes  writes:

> Hi all, I am trying to get repository signing going with reprepro. I
> have my key built with gpg, Signwith set to yes, Release.gpg gets
> generated. When I try to test it with apt-get update I receive:

> W: GPG error: http://software.astronautvista.com karmic Release: The
> following signatures couldn't be verified because the public key is
> not available: NO_PUBKEY E58B0D050AB78E99

You need to mark the public key of the key pair used to sign your
repository as trusted.  This is outside the scope of reprepro, which only
handles the signing.  On each client using that repository, you need to
somehow arrange for the public key to be installed and added (using
apt-key add).

> When I try to apt-key add from the server I receive

>  gpg --keyserver hkp://software.astronautvista.com --recv-keys 
> E58B0D050AB78E99
> gpg: requesting key 0AB78E99 from hkp server software.astronautvista.com
> gpgkeys: HTTP fetch error 7: couldn't connect to host
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0

It looks like you're trying to use your Debian archive host as a key
server to retrieve the public key.  Unless you've explicitly installed and
configured a PGP keyserver on your repository server, that isn't going to
work; there's nothing on the archive server that speaks the HKP protocol.
This isn't something reprepro does.

The conventional way to handle this is to build a Debian package that
installs the keyring and runs apt-key add, based off of packages like
debian-archive-keyring, and then have all clients install that package.
This requires a one-time confirmation that you're willing to install a
package with an unknown signature.  Alternately, you can manually import
the public key into each client using apt-key add.  How you obtain the
public key is up to you in that case.  Any trusted path works.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87ocbzllkf@windlord.stanford.edu

reprepro signing.

2010-09-14 Thread Ignacio Valdes 
Hi all, I am trying to get repository signing going with reprepro. I
have my key built with gpg, Signwith set to yes, Release.gpg gets
generated. When I try to test it with apt-get update I receive:

W: GPG error: http://software.astronautvista.com karmic Release: The
following signatures couldn't be verified because the public key is
not available: NO_PUBKEY E58B0D050AB78E99

Release.gpg is definitely available and looks like this:

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEABECAAYFAkyQNHAACgkQ5YsNBQq3jpl1HACeJcKUKD97/+j94iQxEvjwnLh7
Zo8AoJFdmGk7qAdbZcn3ThhDrLNXel0c
=FAkr
-END PGP SIGNATURE-

When I try to apt-key add from the server I receive

 gpg --keyserver hkp://software.astronautvista.com --recv-keys E58B0D050AB78E99
gpg: requesting key 0AB78E99 from hkp server software.astronautvista.com
gpgkeys: HTTP fetch error 7: couldn't connect to host
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I've pored over much documentation but it is extremely sketchy. What is wrong?

-- IV


-- 
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlkti=vgjbmcucw=k1o4r9t1rvu_ypz_6vgbhswg...@mail.gmail.com