[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-move and pgp signing

Simo Kauppi wrote:
> I understand. I think the idea in those instructions is that afterwards
> you have two secret keyrings. One with your passphrase in it (in .gnupg
> directory) and one without the passphrase (the secring.auto file), which
> seems to me very unsecure! So you should somehow tell gpgi, which is ran
> from the apt-move script, to use the non-passphrase file (which is
> probably not possible).

You're absolutely correct!  :-)  

I used Kgpg to set up a new key and remove my previous efforts. The
directions said dfsbuild must run as root, so I did the gpg keys that way
as well. 

~$ su -
~# export DISPLAY=:0
~# kgpg

...and then finished it on the command line for the rest:

~# gpg -K
        sec   1024D/256B0DA7 2005-09-25
        uid                  James Vahn <root@short.circuit.com>
        ssb   1024g/88DD80D2 2005-09-25

So far it all looks the same as before. Going with the suggestions in the
FAQ, but leaving out "--homedir ." on a hunch..:

~# gpg --edit 256B0DA7
        Command> addkey
        Key is protected.

        You need a passphrase to unlock the secret key for
        user: "James Vahn <root@short.circuit.com>"
        1024-bit DSA key, ID 256B0DA7, created 2005-09-25

        Please select what kind of key you want:
           (2) DSA (sign only)
           (4) Elgamal (encrypt only)
           (5) RSA (sign only)
           (6) RSA (encrypt only)
        Your selection? 2
<....skipping ahead a little....>
        Key is valid for? (0)
        Key does not expire at all
        Is this correct? (y/N) y
        Really create? (y/N) y

It shows a new key as the last entry:
        sub  1024D/BA756E72  created: 2005-09-25  expires: never  usage: S

Okay. "Command> quit" and save, get out. Let's try something on that new
key.. This is the step where the FAQ was too ambiguous ("foo").

~# gpg --edit BA756E72
        Command> passwd

Hit enter on the blank line - twice. It warns about no passphrase, says
that this is a bad thing, but I think it's what I want. The FAQ mentioned
a separate directory ("--homedir ."), but for my purposes... well:

        Command> quit

and save. OK. Editing two lines near the end of /etc/apt-move.conf like
        # Set this to 'none gzip' to get uncompressed Packages/Sources files.
        PKGCOMP='none gzip'

Quotes and all, otherwise it tries to execute gzip right there.

        # Set this to key name to be used for signing Release files.

...and "apt-move packages" now creates Release.gpg files :-)

Some editing of testing/Release (Codename: etch) and a symlink in 
/mirrors/debian/dists :   ln -s testing etch
I see that "Codename: unknown" is hardcoded within apt-move, I wonder
if this shouldn't be $DIST (from apt-move.conf) ...?

Anyway, the wheels finally started to spin:

        ~#  dfsbuild -c /etc/dfsbuild/dfs.cfg -w /root/tmp/

Reply to: