[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-move and pgp signing

On Sun, Sep 25, 2005 at 07:50:01AM -0700, James Vahn wrote:
> Simo Kauppi wrote:
> > James Vahn wrote:
> >>         # Set this to key name to be used for signing Release files.
> >>         SIGNINGKEY=
> >>                    ^^^^^^^^
> >> What is it wanting me to put there? 
> > 
> > Hi,
> > 
> > I haven't used apt-move, but from the gpg point of view the name is
> > either the name of the user or the key-id. In your case C633A12A or
> > "James Vahn".
> > 
> > The problem here is that apt-move uses gpg in batch mode and in batch
> > mode it cannot ask you your passphrase. In that case you shoudn't use
> > passphrase with your signing key.
> Exactly. I get the same error running apt-move's internal gpg command
> directly. Remove "--batch" and it asks for a passphrase. That isn't
> going to work from a script at all.
> > Have a look at http://www.gnupg.org/documentation/faqs.html#q4.14
> I got as far as "gpg --homedir . --edit C633A12A" which created two
> new files: secring.gpg and pubring.gpg ..  Unfortunately I was not given
> the option to use "passwd" as per the instructions, and pointing apt-move
> to "secring.gpg" or "C633A12A" gave me the all too familiar error messages.

I understand. I think the idea in those instructions is that afterwards
you have two secret keyrings. One with your passphrase in it (in .gnupg
directory) and one without the passphrase (the secring.auto file), which
seems to me very unsecure! So you should somehow tell gpgi, which is ran
from the apt-move script, to use the non-passphrase file (which is
probably not possible).

> Gpg is complicated; the instructions are lengthy and unclear, the FAQ
> creates more questions. An ugly mess. If I find the solution it will be
> by accident and I will not trust it. :)

I agree.

Like I said, I haven't used apt-move so I don't necessarily understand
what the key is used for (probably signing package files?).

I would just create a new pgp-key for that purpose only. I.e. creating a
key for signing only without the passphrase (just hitting enter when it
asks for one).

Googling around seemed to suggest using a non-passphrase pgp-key with

> I really appreciate the clues though. I'm at my wits end with this and
> am up against a wall, but you've knocked a brick loose for me - thank
> you!
> My next step will likely involve examining dfsbuild's source code and
> seeing if there's a way to disable the GPG requirement. I suspect that
> will be a far simpler task.. <chuckle>
Good luck!
:r ~/.signature

Attachment: signature.asc
Description: Digital signature

Reply to: