Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

Basic instructions for setting up GnuPG:

1. Make sure that the gnupg package is installed.

[ If you're using a system-wide debpool user, do all of these in that     ]
[ account!                                                                ]

2. Run gpg twice, with an empty input, to make sure that it creates it's
   options file and keyrings. On a new account, this should look something
   like the following:

   $ echo -n "" | gpg
   gpg: /home/debpool/.gnupg: directory created
   gpg: /home/debpool/.gnupg/options: new options file created
   gpg: you have to start GnuPG again, so it can read the new options file
   $ echo -n "" | gpg
   gpg: /home/debpool/.gnupg/secring.gpg: keyring created
   gpg: /home/debpool/.gnupg/pubring.gpg: keyring created
   gpg: processing message failed: eof

3. Create a primary key, using the 'gpg --gen-key' command.

   NOTE: you don't want to use this key to sign the Release files, if
   you're doing that; we'll do that later.

   NOTE: You can skip this step if you're running debpool on your own
   account, and you already have a primary key.

4. Import public keys onto one of the uploader keyrings for each
   person allowed to upload packages to the archive. Current keys
   for Debian Developers can be downloaded from the keyserver at
   keyring.debian.org; others must be downloaded from public servers, or
   obtained directly from the person in question. The default keyring
   to search is 'uploaders.gpg'; this can be changed by adjusting
   $Options{'gpg_keyrings'}.

   Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg'
   should suffice.

   Note that signature verification WILL NOT use your default keyring; if
   you want it to be checked, you must add it to 'gpg_keyrings' explicitly.

   Keys can be imported by the command 'gpg --no-default-keyring --keyring
   uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import
   <keyfile>' can be replaced with '--keyserver <server> --recv-keys
   <key ID>'). Note that --no-default-keyring is required to prevent the
   main keyring (which will not normally be searched) from being the
   default keyring while importing, but that GnuPG won't handle trustdb
   updates unless it has the public key that matches the default secret
   key (normally found in ~/.gnupg/pubring.gpg, which is listed *after*
   uploaders.gpg so that it will still be searched).

[ If you're only using GPG signature verification, you can stop here. The ]
[ rest of this file deals with setting debpool up to do automatic signing ]
[ of Release files.                                                       ]

5. Generate an archive signing key using 'gpg --gen-key', and record the
   passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!)

   Yes, this violates traditional practice, but there isn't any other
   way to automatically sign the Release file (though, if you care, you
   could always manually sign the Release file after each archive run, or
   turn off debpool's Release file generation and manully generate/sign a
   Release file for each section).

6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or
   ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and
   $Options{'gpg_sign_key'} to the key ID of your archive signing key.
   Note that this won't have any effect unless you also enable Release
   file generation (but it won't hurt anything, either).