❦ 1 octobre 2013 20:30 CEST, Jimmy Kaplowitz <jkaplowitz@google.com> :
Yes. I would put the key under a Google HTTPS controlled domain (for
> Quick advice-seeking email from me:
>
> Google recently started signing the apt repository from which we serve
> certain packages used in the Google Compute Engine image build process
> (google-startup-scripts, google-compute-daemon, image-bundle, and recently
> also gcutil).
>
> We do want to get these packages into Debian where appropriate so that the
> bulid can pull solely from the Debian archive, but adding an unknown GPG
> signature broke our current build. Doh! Thank you, Murphy's Law. :)
>
> I think the best short-term way to allow properly authenticated builds is
> to put the Google apt repository's public key somewhere in the github tree,
> apt-key add it before we pull in our repository, but be sure to apt-key
> remove it when we remove our repository.
>
> Does this sound sensible?
example, on the same server hosting the APT repository if it is also
able to serve it with HTTPS). This would match what is done by most
third-party repositories.