Custom repository and "WARNING: The following packages cannot be authenticated!"

To: debian-devel@lists.debian.org
Subject: Custom repository and "WARNING: The following packages cannot be authenticated!"
From: "Michael S. Peek" <peek@tiem.utk.edu>
Date: Wed, 28 Feb 2007 14:05:34 -0500
Message-id: <[🔎] 45E5D27E.3000202@tiem.utk.edu>
Hello gurus,

I'm hoping someone can give me a hand.

I have been running my own repository for a while now, and with the
release of etch as the new stable just around the corner, I would like
to add my own authentication to my repository.  So I set up an install
host running etch, put a repository on it, and followed the instructions
to set up authentication -- but it's a no-go.  I admit that I have a
problem understanding what I'm doing, since I've never used gnupg or pgp
before.  I'm hoping some kind soul on the list here can take a look at
what I've done and will see what I've got wrong.

Here's what I've done:

1) First, I created a gpg key with the following script, gpg-gen-key.
It relies on the existence of a file named passphrase.txt that holds my
passphrase.  (The whole process is automated on a secure host, so I'm
not worried about users being able to read the file.)  The script follows:

   #!/bin/bash

   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)
   gpg_home="${this_dir}/.gnupg"
   input_file="${this_dir}/input.txt"

   test -d "${gpg_home}" \
   || mkdir "${gpg_home}"
   test -d "${gpg_home}" \
   && chmod 0700 "${gpg_home}"

   test -f "${this_dir}/passphrase.txt"
   test -f "${this_dir}/input.txt" \
   || cat > "${input_file}" << EOF
   1
   2048
   0
   y
   Michael Peek
   peek@tiem.utk.edu

   o

   EOF

   test -f "${gpg_home}/pubring.gpg" \
   || gpg \
           --homedir "${gpg_home}" \
           --command-file "${this_dir}/input.txt" \
           --passphrase-file "${this_dir}/passphrase.txt" \
           --gen-key \
           2>&1

   str=$( \
       gpg --homedir "${gpg_home}" --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \
       )

   echo "${str}" > tiem.id

   test -f tiem.key \
   || gpg --homedir "${gpg_home}" --armor --export "${str}" > tiem.key

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

This script generates a .gnupg/ directory, and spits out a tiem.key file
containing the key that I give to apt-key on my clients.  An example of
each file:

tiem.key:

   -----BEGIN PGP PUBLIC KEY BLOCK-----
   Version: GnuPG v1.4.6 (GNU/Linux)

   mQGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9pq

   ...stuff...

   ...stuff...

   ...stuff...

   D8NXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXJqR
   dKKfig==
   =8w/+
   -----END PGP PUBLIC KEY BLOCK-----

tiem.id:

   666C18A7

2) Next, I use the above keys to sign my Release file, placing the
signature in Release.gpg.  This is done with another script, gpg-sign,
which follows:

   #!/bin/bash

   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)
   gpg_home="${this_dir}/.gnupg"
   test -d "${gpg_home}"
   test -f "${this_dir}/passphrase.txt"
   gpg --homedir ${gpg_home} --list-keys
   str=$( \
       gpg --homedir ${gpg_home} --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \
       )

   test ! -f "${2}" \
   || rm -f "${2}"

   gpg \
       --homedir "${gpg_home}" \
       --passphrase-file "${this_dir}/passphrase.txt" \
       --default-key "${str}" \
       -abs \
       -o "${2}" "${1}" \
       2>&1

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

An example of the Release.gpg file:

   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v1.4.6 (GNU/Linux)

   iD8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA8d
   Z6CXXXXXXXXXXXXXXXXXXQw=
   =3twD
   -----END PGP SIGNATURE-----

3) On the client I add the key generated above in step 1 via apt-key.
The output of apt-key list is as follows:

   /etc/apt/trusted.gpg
   --------------------
   pub   1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
   uid                  Debian Archive Automatic Signing Key (2006)
   <ftpmaster@debian.org>

   pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
   uid                  Debian Archive Automatic Signing Key (4.0/etch)
   <ftpmaster@debian.org>

   pub   1024D/1F41B907 1999-10-03
   uid                  Christian Marillat <marillat@debian.org>
   uid                  Christian Marillat <marillat@free.fr>
   sub   1536g/C28DCC42 1999-10-03
   sub   1024D/5D3877A7 2002-08-26

   pub   1024D/666C18A7 2007-02-27
   uid                  Michael Peek <peek@tiem.utk.edu>
   sub   2048g/969F8B67 2007-02-27

   pub   1024D/ADB11277 2006-09-17
   uid                  Etch Stable Release Key
   <debian-release@lists.debian.org>

Notice the 666C18A7 key -- that's mine.

4) I run apt-get update, and get:

   Ign http://install1 etch Release.gpg
   Ign http://install1 etch Release
   Ign http://install1 etch/main Packages/DiffIndex
   Ign http://install1 etch/non-free Packages/DiffIndex
   Ign http://install1 etch/contrib Packages/DiffIndex
   Ign http://install1 etch/main Packages
   Ign http://install1 etch/non-free Packages
   Ign http://install1 etch/contrib Packages
   Hit http://install1 etch/main Packages
   Hit http://install1 etch/non-free Packages
   Hit http://install1 etch/contrib Packages
   Get:1 http://security.debian.org etch/updates Release.gpg [189B]
   Get:2 http://ftp.us.debian.org etch Release.gpg [189B]
   Hit http://security.debian.org etch/updates Release
   Hit http://ftp.us.debian.org etch Release
   Get:3 http://debian-multimedia.org etch Release.gpg [189B]
   Ign http://security.debian.org etch/updates/main Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Packages/DiffIndex
   Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
   Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
   Hit http://debian-multimedia.org etch Release
   Hit http://ftp.us.debian.org etch/non-free Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/non-free Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Sources/DiffIndex
   Hit http://security.debian.org etch/updates/main Packages
   Hit http://security.debian.org etch/updates/contrib Packages
   Ign http://debian-multimedia.org etch/main Packages/DiffIndex
   Hit http://security.debian.org etch/updates/non-free Packages
   Hit http://debian-multimedia.org etch/main Packages
   Fetched 191B in 1s (140B/s)
   Reading package lists... Done

The lines that read "http://install1"; are for my repository. Notice that
apt-get does in fact (claim to) download my Release.gpg file.

5) But when I go to install a package from my repository, I get the
following error:

   # apt-get install tiem-exim4-workstation-cfg
   Reading package lists... Done
   Building dependency tree... Done
   The following extra packages will be installed:
     tiem-exim4-common-cfg
   The following NEW packages will be installed:
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   0 upgraded, 2 newly installed, 0 to remove and 23 not upgraded.
   Need to get 0B/26.2kB of archives.
   After unpacking 258kB of additional disk space will be used.
   Do you want to continue [Y/n]?
   WARNING: The following packages cannot be authenticated!
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   Install these packages without verification [y/N]?

Some sources claim that running apt-get update will solve this problem,
but it doesn't seem to make a difference for me.

Can anyone see what I've got wrong?  I totally don't understand...

Thanks for your help,

Michael peek
Reply to:
Prev by Date: Re: On maintainers not responding to bugs
Next by Date: Re: incorrect path to locales? (might be rc)
Previous by thread: Re: incorrect path to locales? (might be rc)
Index(es):
- Date
- Thread