Re: reprepro signing.
Ignacio Valdes <ivaldes@hal-pc.org> writes:
> Hi all, I am trying to get repository signing going with reprepro. I
> have my key built with gpg, Signwith set to yes, Release.gpg gets
> generated. When I try to test it with apt-get update I receive:
> W: GPG error: http://software.astronautvista.com karmic Release: The
> following signatures couldn't be verified because the public key is
> not available: NO_PUBKEY E58B0D050AB78E99
You need to mark the public key of the key pair used to sign your
repository as trusted. This is outside the scope of reprepro, which only
handles the signing. On each client using that repository, you need to
somehow arrange for the public key to be installed and added (using
apt-key add).
> When I try to apt-key add from the server I receive
> gpg --keyserver hkp://software.astronautvista.com --recv-keys E58B0D050AB78E99
> gpg: requesting key 0AB78E99 from hkp server software.astronautvista.com
> gpgkeys: HTTP fetch error 7: couldn't connect to host
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
It looks like you're trying to use your Debian archive host as a key
server to retrieve the public key. Unless you've explicitly installed and
configured a PGP keyserver on your repository server, that isn't going to
work; there's nothing on the archive server that speaks the HKP protocol.
This isn't something reprepro does.
The conventional way to handle this is to build a Debian package that
installs the keyring and runs apt-key add, based off of packages like
debian-archive-keyring, and then have all clients install that package.
This requires a one-time confirmation that you're willing to install a
package with an unknown signature. Alternately, you can manually import
the public key into each client using apt-key add. How you obtain the
public key is up to you in that case. Any trusted path works.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: