Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | magnus | 1 | Basic instructions for setting up GnuPG: |
| 2 | |||
| 3 | 1. Make sure that the gnupg package is installed. |
||
| 4 | |||
| 5 | [ If you're using a system-wide debpool user, do all of these in that ] |
||
| 6 | [ account! ] |
||
| 7 | |||
| 8 | 2. Run gpg twice, with an empty input, to make sure that it creates it's |
||
| 9 | options file and keyrings. On a new account, this should look something |
||
| 10 | like the following: |
||
| 11 | |||
| 12 | $ echo -n "" | gpg |
||
| 13 | gpg: /home/debpool/.gnupg: directory created |
||
| 14 | gpg: /home/debpool/.gnupg/options: new options file created |
||
| 15 | gpg: you have to start GnuPG again, so it can read the new options file |
||
| 16 | $ echo -n "" | gpg |
||
| 17 | gpg: /home/debpool/.gnupg/secring.gpg: keyring created |
||
| 18 | gpg: /home/debpool/.gnupg/pubring.gpg: keyring created |
||
| 19 | gpg: processing message failed: eof |
||
| 20 | |||
| 21 | 3. Create a primary key, using the 'gpg --gen-key' command. |
||
| 22 | |||
| 23 | NOTE: you don't want to use this key to sign the Release files, if |
||
| 24 | you're doing that; we'll do that later. |
||
| 25 | |||
| 26 | NOTE: You can skip this step if you're running debpool on your own |
||
| 27 | account, and you already have a primary key. |
||
| 28 | |||
| 29 | 4. Import public keys onto one of the uploader keyrings for each |
||
| 30 | person allowed to upload packages to the archive. Current keys |
||
| 31 | for Debian Developers can be downloaded from the keyserver at |
||
| 32 | keyring.debian.org; others must be downloaded from public servers, or |
||
| 33 | obtained directly from the person in question. The default keyring |
||
| 34 | to search is 'uploaders.gpg'; this can be changed by adjusting |
||
| 35 | $Options{'gpg_keyrings'}. |
||
| 36 | |||
| 37 | Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg' |
||
| 38 | should suffice. |
||
| 39 | |||
| 40 | Note that signature verification WILL NOT use your default keyring; if |
||
| 41 | you want it to be checked, you must add it to 'gpg_keyrings' explicitly. |
||
| 42 | |||
| 43 | Keys can be imported by the command 'gpg --no-default-keyring --keyring |
||
| 44 | uploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import |
||
| 45 | <keyfile>' can be replaced with '--keyserver <server> --recv-keys |
||
| 46 | <key ID>'). Note that --no-default-keyring is required to prevent the |
||
| 47 | main keyring (which will not normally be searched) from being the |
||
| 48 | default keyring while importing, but that GnuPG won't handle trustdb |
||
| 49 | updates unless it has the public key that matches the default secret |
||
| 50 | key (normally found in ~/.gnupg/pubring.gpg, which is listed *after* |
||
| 51 | uploaders.gpg so that it will still be searched). |
||
| 52 | |||
| 53 | [ If you're only using GPG signature verification, you can stop here. The ] |
||
| 54 | [ rest of this file deals with setting debpool up to do automatic signing ] |
||
| 55 | [ of Release files. ] |
||
| 56 | |||
| 57 | 5. Generate an archive signing key using 'gpg --gen-key', and record the |
||
| 58 | passphrase in ~/.gnupg/passphrase (make sure it's mode 0600!) |
||
| 59 | |||
| 60 | Yes, this violates traditional practice, but there isn't any other |
||
| 61 | way to automatically sign the Release file (though, if you care, you |
||
| 62 | could always manually sign the Release file after each archive run, or |
||
| 63 | turn off debpool's Release file generation and manully generate/sign a |
||
| 64 | Release file for each section). |
||
| 65 | |||
| 66 | 6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or |
||
| 67 | ~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and |
||
| 68 | $Options{'gpg_sign_key'} to the key ID of your archive signing key. |
||
| 69 | Note that this won't have any effect unless you also enable Release |
||
| 70 | file generation (but it won't hurt anything, either). |