Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
1 magnus 1
Basic instructions for setting up GnuPG:
2
 
3
1. Make sure that the gnupg package is installed.
4
 
5
[ If you're using a system-wide debpool user, do all of these in that     ]
6
[ account!                                                                ]
7
 
8
2. Run gpg twice, with an empty input, to make sure that it creates it's
9
   options file and keyrings. On a new account, this should look something
10
   like the following:
11
 
12
   $ echo -n "" | gpg
13
   gpg: /home/debpool/.gnupg: directory created
14
   gpg: /home/debpool/.gnupg/options: new options file created
15
   gpg: you have to start GnuPG again, so it can read the new options file
16
   $ echo -n "" | gpg
17
   gpg: /home/debpool/.gnupg/secring.gpg: keyring created
18
   gpg: /home/debpool/.gnupg/pubring.gpg: keyring created
19
   gpg: processing message failed: eof
20
 
21
3. Create a primary key, using the 'gpg --gen-key' command.
22
 
23
   NOTE: you don't want to use this key to sign the Release files, if
24
   you're doing that; we'll do that later.
25
 
26
   NOTE: You can skip this step if you're running debpool on your own
27
   account, and you already have a primary key.
28
 
29
4. Import public keys onto one of the uploader keyrings for each
30
   person allowed to upload packages to the archive. Current keys
31
   for Debian Developers can be downloaded from the keyserver at
32
   keyring.debian.org; others must be downloaded from public servers, or
33
   obtained directly from the person in question. The default keyring
34
   to search is 'uploaders.gpg'; this can be changed by adjusting
35
   $Options{'gpg_keyrings'}.
36
 
37
   Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg'
38
   should suffice.
39
 
40
   Note that signature verification WILL NOT use your default keyring; if
41
   you want it to be checked, you must add it to 'gpg_keyrings' explicitly.
42
 
43
   Keys can be imported by the command 'gpg --no-default-keyring --keyring
44
   uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import
45
   <keyfile>' can be replaced with '--keyserver <server> --recv-keys
46
   <key ID>'). Note that --no-default-keyring is required to prevent the
47
   main keyring (which will not normally be searched) from being the
48
   default keyring while importing, but that GnuPG won't handle trustdb
49
   updates unless it has the public key that matches the default secret
50
   key (normally found in ~/.gnupg/pubring.gpg, which is listed *after*
51
   uploaders.gpg so that it will still be searched).
52
 
53
[ If you're only using GPG signature verification, you can stop here. The ]
54
[ rest of this file deals with setting debpool up to do automatic signing ]
55
[ of Release files.                                                       ]
56
 
57
5. Generate an archive signing key using 'gpg --gen-key', and record the
58
   passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!)
59
 
60
   Yes, this violates traditional practice, but there isn't any other
61
   way to automatically sign the Release file (though, if you care, you
62
   could always manually sign the Release file after each archive run, or
63
   turn off debpool's Release file generation and manully generate/sign a
64
   Release file for each section).
65
 
66
6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or
67
   ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and
68
   $Options{'gpg_sign_key'} to the key ID of your archive signing key.
69
   Note that this won't have any effect unless you also enable Release
70
   file generation (but it won't hurt anything, either).