Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1 | magnus | 1 | Basic instructions for setting up GnuPG: |
2 | |||
3 | 1. Make sure that the gnupg package is installed. |
||
4 | |||
5 | [ If you're using a system-wide debpool user, do all of these in that ] |
||
6 | [ account! ] |
||
7 | |||
8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
||
9 | options file and keyrings. On a new account, this should look something |
||
10 | like the following: |
||
11 | |||
12 | $ echo -n "" | gpg |
||
13 | gpg: /home/debpool/.gnupg: directory created |
||
14 | gpg: /home/debpool/.gnupg/options: new options file created |
||
15 | gpg: you have to start GnuPG again, so it can read the new options file |
||
16 | $ echo -n "" | gpg |
||
17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
||
18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
||
19 | gpg: processing message failed: eof |
||
20 | |||
21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
||
22 | |||
23 | NOTE: you don't want to use this key to sign the Release files, if |
||
24 | you're doing that; we'll do that later. |
||
25 | |||
26 | NOTE: You can skip this step if you're running debpool on your own |
||
27 | account, and you already have a primary key. |
||
28 | |||
29 | 4. Import public keys onto one of the uploader keyrings for each |
||
30 | person allowed to upload packages to the archive. Current keys |
||
31 | for Debian Developers can be downloaded from the keyserver at |
||
32 | keyring.debian.org; others must be downloaded from public servers, or |
||
33 | obtained directly from the person in question. The default keyring |
||
34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
||
35 | $Options{'gpg_keyrings'}. |
||
36 | |||
37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
||
38 | should suffice. |
||
39 | |||
40 | Note that signature verification WILL NOT use your default keyring; if |
||
41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
||
42 | |||
43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
||
44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
||
45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
||
46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
||
47 | main keyring (which will not normally be searched) from being the |
||
48 | default keyring while importing, but that GnuPG won't handle trustdb |
||
49 | updates unless it has the public key that matches the default secret |
||
50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
||
51 | uploaders.gpg so that it will still be searched). |
||
52 | |||
53 | [ If you're only using GPG signature verification, you can stop here. The ] |
||
54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
||
55 | [ of Release files. ] |
||
56 | |||
57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
||
58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
||
59 | |||
60 | Yes, this violates traditional practice, but there isn't any other |
||
61 | way to automatically sign the Release file (though, if you care, you |
||
62 | could always manually sign the Release file after each archive run, or |
||
63 | turn off debpool's Release file generation and manully generate/sign a |
||
64 | Release file for each section). |
||
65 | |||
66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
||
67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and |
||
68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key. |
||
69 | Note that this won't have any effect unless you also enable Release |
||
70 | file generation (but it won't hurt anything, either). |