Blame | Last modification | View Log | RSS feed
Basic instructions for setting up GnuPG:1. Make sure that the gnupg package is installed.[ If you're using a system-wide debpool user, do all of these in that ][ account! ]2. Run gpg twice, with an empty input, to make sure that it creates it'soptions file and keyrings. On a new account, this should look somethinglike the following:$ echo -n "" | gpggpg: /home/debpool/.gnupg: directory createdgpg: /home/debpool/.gnupg/options: new options file createdgpg: you have to start GnuPG again, so it can read the new options file$ echo -n "" | gpggpg: /home/debpool/.gnupg/secring.gpg: keyring createdgpg: /home/debpool/.gnupg/pubring.gpg: keyring createdgpg: processing message failed: eof3. Create a primary key, using the 'gpg --gen-key' command.NOTE: you don't want to use this key to sign the Release files, ifyou're doing that; we'll do that later.NOTE: You can skip this step if you're running debpool on your ownaccount, and you already have a primary key.4. Import public keys onto one of the uploader keyrings for eachperson allowed to upload packages to the archive. Current keysfor Debian Developers can be downloaded from the keyserver atkeyring.debian.org; others must be downloaded from public servers, orobtained directly from the person in question. The default keyringto search is 'uploaders.gpg'; this can be changed by adjusting$Options{'gpg_keyrings'}.Don't forget to create the keyring; doing 'touch ~/.gnupg/uploaders.gpg'should suffice.Note that signature verification WILL NOT use your default keyring; ifyou want it to be checked, you must add it to 'gpg_keyrings' explicitly.Keys can be imported by the command 'gpg --no-default-keyring --keyringuploaders.gpg --keyring pubring.gpg --import <keyfile>' (or '--import<keyfile>' can be replaced with '--keyserver <server> --recv-keys<key ID>'). Note that --no-default-keyring is required to prevent themain keyring (which will not normally be searched) from being thedefault keyring while importing, but that GnuPG won't handle trustdbupdates unless it has the public key that matches the default secretkey (normally found in ~/.gnupg/pubring.gpg, which is listed *after*uploaders.gpg so that it will still be searched).[ If you're only using GPG signature verification, you can stop here. The ][ rest of this file deals with setting debpool up to do automatic signing ][ of Release files. ]5. Generate an archive signing key using 'gpg --gen-key', and record thepassphrase in ~/.gnupg/passphrase (make sure it's mode 0600!)Yes, this violates traditional practice, but there isn't any otherway to automatically sign the Release file (though, if you care, youcould always manually sign the Release file after each archive run, orturn off debpool's Release file generation and manully generate/sign aRelease file for each section).6. Edit the appropriate Config.pm file (/etc/debpool/Config.pm or~/.debpool/Config.pm), set $Options{'sign_release'} to 1 and$Options{'gpg_sign_key'} to the key ID of your archive signing key.Note that this won't have any effect unless you also enable Releasefile generation (but it won't hurt anything, either).