Rev 1 | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1 | Rev 5 | ||
---|---|---|---|
1 | Basic instructions for setting up GnuPG: |
1 | Basic instructions for setting up GnuPG: |
2 | 2 | ||
3 | 1. Make sure that the gnupg package is installed. |
3 | 1. Make sure that the gnupg package is installed. |
4 | 4 | ||
5 | [ If you're using a system-wide debpool user, do all of these in that ] |
5 | [ If you're using a system-wide debpool user, do all of these in that ] |
6 | [ account! ] |
6 | [ account! ] |
7 | 7 | ||
8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
9 | options file and keyrings. On a new account, this should look something |
9 | options file and keyrings. On a new account, this should look something |
10 | like the following: |
10 | like the following: |
11 | 11 | ||
12 | $ echo -n "" | gpg |
12 | $ echo -n "" | gpg |
13 | gpg: /home/debpool/.gnupg: directory created |
13 | gpg: /home/debpool/.gnupg: directory created |
14 | gpg: /home/debpool/.gnupg/options: new options file created |
14 | gpg: /home/debpool/.gnupg/options: new options file created |
15 | gpg: you have to start GnuPG again, so it can read the new options file |
15 | gpg: you have to start GnuPG again, so it can read the new options file |
16 | $ echo -n "" | gpg |
16 | $ echo -n "" | gpg |
17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
19 | gpg: processing message failed: eof |
19 | gpg: processing message failed: eof |
20 | 20 | ||
21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
22 | 22 | ||
23 | NOTE: you don't want to use this key to sign the Release files, if |
23 | NOTE: you don't want to use this key to sign the Release files, if |
24 | you're doing that; we'll do that later. |
24 | you're doing that; we'll do that later. |
25 | 25 | ||
26 | NOTE: You can skip this step if you're running debpool on your own |
26 | NOTE: You can skip this step if you're running debpool on your own |
27 | account, and you already have a primary key. |
27 | account, and you already have a primary key. |
28 | 28 | ||
29 | 4. Import public keys onto one of the uploader keyrings for each |
29 | 4. Import public keys onto one of the uploader keyrings for each |
30 | person allowed to upload packages to the archive. Current keys |
30 | person allowed to upload packages to the archive. Current keys |
31 | for Debian Developers can be downloaded from the keyserver at |
31 | for Debian Developers can be downloaded from the keyserver at |
32 | keyring.debian.org; others must be downloaded from public servers, or |
32 | keyring.debian.org; others must be downloaded from public servers, or |
33 | obtained directly from the person in question. The default keyring |
33 | obtained directly from the person in question. The default keyring |
34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
35 | $Options{'gpg_keyrings'}. |
35 | $Options{'gpg_keyrings'}. |
36 | 36 | ||
37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
38 | should suffice. |
38 | should suffice. |
39 | 39 | ||
40 | Note that signature verification WILL NOT use your default keyring; if |
40 | Note that signature verification WILL NOT use your default keyring; if |
41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
42 | 42 | ||
43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
47 | main keyring (which will not normally be searched) from being the |
47 | main keyring (which will not normally be searched) from being the |
48 | default keyring while importing, but that GnuPG won't handle trustdb |
48 | default keyring while importing, but that GnuPG won't handle trustdb |
49 | updates unless it has the public key that matches the default secret |
49 | updates unless it has the public key that matches the default secret |
50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
51 | uploaders.gpg so that it will still be searched). |
51 | uploaders.gpg so that it will still be searched). |
52 | 52 | ||
53 | [ If you're only using GPG signature verification, you can stop here. The ] |
53 | [ If you're only using GPG signature verification, you can stop here. The ] |
54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
55 | [ of Release files. ] |
55 | [ of Release files. ] |
56 | 56 | ||
57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
59 | 59 | ||
60 | Yes, this violates traditional practice, but there isn't any other |
60 | Yes, this violates traditional practice, but there isn't any other |
61 | way to automatically sign the Release file (though, if you care, you |
61 | way to automatically sign the Release file (though, if you care, you |
62 | could always manually sign the Release file after each archive run, or |
62 | could always manually sign the Release file after each archive run, or |
63 | turn off debpool's Release file generation and manully generate/sign a |
63 | turn off debpool's Release file generation and manully generate/sign a |
64 | Release file for each section). |
64 | Release file for each section). |
65 | 65 | ||
66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and |
67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and |
68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key. |
68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key. |
69 | Note that this won't have any effect unless you also enable Release |
69 | Note that this won't have any effect unless you also enable Release |
70 | file generation (but it won't hurt anything, either). |
70 | file generation (but it won't hurt anything, either). |