Re: Apt-move and pgp signing
Simo Kauppi wrote:
> I understand. I think the idea in those instructions is that afterwards
> you have two secret keyrings. One with your passphrase in it (in .gnupg
> directory) and one without the passphrase (the secring.auto file), which
> seems to me very unsecure! So you should somehow tell gpgi, which is ran
> from the apt-move script, to use the non-passphrase file (which is
> probably not possible).
You're absolutely correct! :-)
I used Kgpg to set up a new key and remove my previous efforts. The
directions said dfsbuild must run as root, so I did the gpg keys that way
as well.
~$ su -
~# export DISPLAY=:0
~# kgpg
...and then finished it on the command line for the rest:
~# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024D/256B0DA7 2005-09-25
uid James Vahn <root@short.circuit.com>
ssb 1024g/88DD80D2 2005-09-25
So far it all looks the same as before. Going with the suggestions in the
FAQ, but leaving out "--homedir ." on a hunch..:
~# gpg --edit 256B0DA7
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "James Vahn <root@short.circuit.com>"
1024-bit DSA key, ID 256B0DA7, created 2005-09-25
Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 2
<....skipping ahead a little....>
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
It shows a new key as the last entry:
sub 1024D/BA756E72 created: 2005-09-25 expires: never usage: S
Okay. "Command> quit" and save, get out. Let's try something on that new
key.. This is the step where the FAQ was too ambiguous ("foo").
~# gpg --edit BA756E72
Command> passwd
Hit enter on the blank line - twice. It warns about no passphrase, says
that this is a bad thing, but I think it's what I want. The FAQ mentioned
a separate directory ("--homedir ."), but for my purposes... well:
Command> quit
and save. OK. Editing two lines near the end of /etc/apt-move.conf like
so:
# Set this to 'none gzip' to get uncompressed Packages/Sources files.
PKGCOMP='none gzip'
Quotes and all, otherwise it tries to execute gzip right there.
# Set this to key name to be used for signing Release files.
SIGNINGKEY=BA756E72
...and "apt-move packages" now creates Release.gpg files :-)
Some editing of testing/Release (Codename: etch) and a symlink in
/mirrors/debian/dists : ln -s testing etch
I see that "Codename: unknown" is hardcoded within apt-move, I wonder
if this shouldn't be $DIST (from apt-move.conf) ...?
Anyway, the wheels finally started to spin:
~# dfsbuild -c /etc/dfsbuild/dfs.cfg -w /root/tmp/
Reply to: