Rev 1 | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1 | Rev 5 | ||
|---|---|---|---|
| 1 | Basic instructions for setting up GnuPG: |
1 | Basic instructions for setting up GnuPG: |
| 2 | 2 | ||
| 3 | 1. Make sure that the gnupg package is installed. |
3 | 1. Make sure that the gnupg package is installed. |
| 4 | 4 | ||
| 5 | [ If you're using a system-wide debpool user, do all of these in that ] |
5 | [ If you're using a system-wide debpool user, do all of these in that ] |
| 6 | [ account! ] |
6 | [ account! ] |
| 7 | 7 | ||
| 8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
| 9 | options file and keyrings. On a new account, this should look something |
9 | options file and keyrings. On a new account, this should look something |
| 10 | like the following: |
10 | like the following: |
| 11 | 11 | ||
| 12 | $ echo -n "" | gpg |
12 | $ echo -n "" | gpg |
| 13 | gpg: /home/debpool/.gnupg: directory created |
13 | gpg: /home/debpool/.gnupg: directory created |
| 14 | gpg: /home/debpool/.gnupg/options: new options file created |
14 | gpg: /home/debpool/.gnupg/options: new options file created |
| 15 | gpg: you have to start GnuPG again, so it can read the new options file |
15 | gpg: you have to start GnuPG again, so it can read the new options file |
| 16 | $ echo -n "" | gpg |
16 | $ echo -n "" | gpg |
| 17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
| 18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
| 19 | gpg: processing message failed: eof |
19 | gpg: processing message failed: eof |
| 20 | 20 | ||
| 21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
| 22 | 22 | ||
| 23 | NOTE: you don't want to use this key to sign the Release files, if |
23 | NOTE: you don't want to use this key to sign the Release files, if |
| 24 | you're doing that; we'll do that later. |
24 | you're doing that; we'll do that later. |
| 25 | 25 | ||
| 26 | NOTE: You can skip this step if you're running debpool on your own |
26 | NOTE: You can skip this step if you're running debpool on your own |
| 27 | account, and you already have a primary key. |
27 | account, and you already have a primary key. |
| 28 | 28 | ||
| 29 | 4. Import public keys onto one of the uploader keyrings for each |
29 | 4. Import public keys onto one of the uploader keyrings for each |
| 30 | person allowed to upload packages to the archive. Current keys |
30 | person allowed to upload packages to the archive. Current keys |
| 31 | for Debian Developers can be downloaded from the keyserver at |
31 | for Debian Developers can be downloaded from the keyserver at |
| 32 | keyring.debian.org; others must be downloaded from public servers, or |
32 | keyring.debian.org; others must be downloaded from public servers, or |
| 33 | obtained directly from the person in question. The default keyring |
33 | obtained directly from the person in question. The default keyring |
| 34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
| 35 | $Options{'gpg_keyrings'}.
|
35 | $Options{'gpg_keyrings'}.
|
| 36 | 36 | ||
| 37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
| 38 | should suffice. |
38 | should suffice. |
| 39 | 39 | ||
| 40 | Note that signature verification WILL NOT use your default keyring; if |
40 | Note that signature verification WILL NOT use your default keyring; if |
| 41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
| 42 | 42 | ||
| 43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
| 44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
| 45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
| 46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
| 47 | main keyring (which will not normally be searched) from being the |
47 | main keyring (which will not normally be searched) from being the |
| 48 | default keyring while importing, but that GnuPG won't handle trustdb |
48 | default keyring while importing, but that GnuPG won't handle trustdb |
| 49 | updates unless it has the public key that matches the default secret |
49 | updates unless it has the public key that matches the default secret |
| 50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
| 51 | uploaders.gpg so that it will still be searched). |
51 | uploaders.gpg so that it will still be searched). |
| 52 | 52 | ||
| 53 | [ If you're only using GPG signature verification, you can stop here. The ] |
53 | [ If you're only using GPG signature verification, you can stop here. The ] |
| 54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
| 55 | [ of Release files. ] |
55 | [ of Release files. ] |
| 56 | 56 | ||
| 57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
| 58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
| 59 | 59 | ||
| 60 | Yes, this violates traditional practice, but there isn't any other |
60 | Yes, this violates traditional practice, but there isn't any other |
| 61 | way to automatically sign the Release file (though, if you care, you |
61 | way to automatically sign the Release file (though, if you care, you |
| 62 | could always manually sign the Release file after each archive run, or |
62 | could always manually sign the Release file after each archive run, or |
| 63 | turn off debpool's Release file generation and manully generate/sign a |
63 | turn off debpool's Release file generation and manully generate/sign a |
| 64 | Release file for each section). |
64 | Release file for each section). |
| 65 | 65 | ||
| 66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
| 67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and
|
67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and
|
| 68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key.
|
68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key.
|
| 69 | Note that this won't have any effect unless you also enable Release |
69 | Note that this won't have any effect unless you also enable Release |
| 70 | file generation (but it won't hurt anything, either). |
70 | file generation (but it won't hurt anything, either). |