On 2021-07-01 14:26:48 -0400 (-0400), Kyle Edwards wrote:
> On 7/1/21 2:19 PM, Jeremy Stanley wrote:
> > Also, as other's have stated, deb822 might be a cleaner way to
> > express this.
>
> I'm a little confused - I thought deb822 was just a generic format
> used in various places throughout Debian, including in the Release
> files. Where specifically would the signed-by information be
> stored? In the Release file as you said below, or somewhere on the
> user's machine?
Check out the sources.list manpage:
"The files list one source per line (one-line style) or contain
multiline stanzas defining one or more sources per stanza
(deb822 style), ..."
And then there's an entire DEB822-STYLE FORMAT section which
explains in greater detail.
> > On top of that, you can embed Signed-By fields with your key
> > fingerprint in your repository's Release files, in order to
> > highlight if someone gets an updated index which is signed by a
> > different key than you previously indicated it should be. I
> > think anything as recent as Stretch should support all of this.
>
> Thanks. Our primary target is Ubuntu - does Ubuntu 18.04 support
> this?
Ubuntu ships tweaked snapshots of Sid for most stuff, and that dates
since well after Stretch froze for release. Of course, try it to be
sure, but I just checked an Ubuntu 16.04 LTS machine and the
sources.list manpage there indicates support for deb822. As for
Signed-By in Release files, Ubuntu 18.04 does seem to have support
according to the apt changelog, any version newer than 1.3 ought to
include support and it has 1.6 so should be plenty new enough for
that.
--
Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature