[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Custom repository and "WARNING: The following packages cannot be authenticated!"

Hello gurus,

I'm hoping someone can give me a hand.

I have been running my own repository for a while now, and with the release of etch as the new stable just around the corner, I would like to add my own authentication to my repository. So I set up an install host running etch, put a repository on it, and followed the instructions to set up authentication -- but it's a no-go. I admit that I have a problem understanding what I'm doing, since I've never used gnupg or pgp before. I'm hoping some kind soul on the list here can take a look at what I've done and will see what I've got wrong.

Here's what I've done:

1) First, I created a gpg key with the following script, gpg-gen-key. It relies on the existence of a file named passphrase.txt that holds my passphrase. (The whole process is automated on a secure host, so I'm not worried about users being able to read the file.) The script follows:


   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)

   test -d "${gpg_home}" \
   || mkdir "${gpg_home}"
   test -d "${gpg_home}" \
   && chmod 0700 "${gpg_home}"

   test -f "${this_dir}/passphrase.txt"
   test -f "${this_dir}/input.txt" \
   || cat > "${input_file}" << EOF
   Michael Peek



   test -f "${gpg_home}/pubring.gpg" \
   || gpg \
           --homedir "${gpg_home}" \
           --command-file "${this_dir}/input.txt" \
           --passphrase-file "${this_dir}/passphrase.txt" \
           --gen-key \

   str=$( \
       gpg --homedir "${gpg_home}" --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \

   echo "${str}" > tiem.id

   test -f tiem.key \
   || gpg --homedir "${gpg_home}" --armor --export "${str}" > tiem.key

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

This script generates a .gnupg/ directory, and spits out a tiem.key file containing the key that I give to apt-key on my clients. An example of each file:


   Version: GnuPG v1.4.6 (GNU/Linux)








2) Next, I use the above keys to sign my Release file, placing the signature in Release.gpg. This is done with another script, gpg-sign, which follows:


   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)
   test -d "${gpg_home}"
   test -f "${this_dir}/passphrase.txt"
   gpg --homedir ${gpg_home} --list-keys
   str=$( \
       gpg --homedir ${gpg_home} --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \

   test ! -f "${2}" \
   || rm -f "${2}"

   gpg \
       --homedir "${gpg_home}" \
       --passphrase-file "${this_dir}/passphrase.txt" \
       --default-key "${str}" \
       -abs \
       -o "${2}" "${1}" \

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

An example of the Release.gpg file:

   Version: GnuPG v1.4.6 (GNU/Linux)

   -----END PGP SIGNATURE-----

3) On the client I add the key generated above in step 1 via apt-key. The output of apt-key list is as follows:

   pub   1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
   uid                  Debian Archive Automatic Signing Key (2006)

   pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
   uid                  Debian Archive Automatic Signing Key (4.0/etch)

   pub   1024D/1F41B907 1999-10-03
   uid                  Christian Marillat <marillat@debian.org>
   uid                  Christian Marillat <marillat@free.fr>
   sub   1536g/C28DCC42 1999-10-03
   sub   1024D/5D3877A7 2002-08-26

   pub   1024D/666C18A7 2007-02-27
   uid                  Michael Peek <peek@tiem.utk.edu>
   sub   2048g/969F8B67 2007-02-27

   pub   1024D/ADB11277 2006-09-17
   uid                  Etch Stable Release Key

Notice the 666C18A7 key -- that's mine.

4) I run apt-get update, and get:

   Ign http://install1 etch Release.gpg
   Ign http://install1 etch Release
   Ign http://install1 etch/main Packages/DiffIndex
   Ign http://install1 etch/non-free Packages/DiffIndex
   Ign http://install1 etch/contrib Packages/DiffIndex
   Ign http://install1 etch/main Packages
   Ign http://install1 etch/non-free Packages
   Ign http://install1 etch/contrib Packages
   Hit http://install1 etch/main Packages
   Hit http://install1 etch/non-free Packages
   Hit http://install1 etch/contrib Packages
   Get:1 http://security.debian.org etch/updates Release.gpg [189B]
   Get:2 http://ftp.us.debian.org etch Release.gpg [189B]
   Hit http://security.debian.org etch/updates Release
   Hit http://ftp.us.debian.org etch Release
   Get:3 http://debian-multimedia.org etch Release.gpg [189B]
   Ign http://security.debian.org etch/updates/main Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Packages/DiffIndex
   Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
   Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
   Hit http://debian-multimedia.org etch Release
   Hit http://ftp.us.debian.org etch/non-free Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/non-free Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Sources/DiffIndex
   Hit http://security.debian.org etch/updates/main Packages
   Hit http://security.debian.org etch/updates/contrib Packages
   Ign http://debian-multimedia.org etch/main Packages/DiffIndex
   Hit http://security.debian.org etch/updates/non-free Packages
   Hit http://debian-multimedia.org etch/main Packages
   Fetched 191B in 1s (140B/s)
   Reading package lists... Done

The lines that read "http://install1"; are for my repository. Notice that apt-get does in fact (claim to) download my Release.gpg file.

5) But when I go to install a package from my repository, I get the following error:

   # apt-get install tiem-exim4-workstation-cfg
   Reading package lists... Done
   Building dependency tree... Done
   The following extra packages will be installed:
   The following NEW packages will be installed:
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   0 upgraded, 2 newly installed, 0 to remove and 23 not upgraded.
   Need to get 0B/26.2kB of archives.
   After unpacking 258kB of additional disk space will be used.
   Do you want to continue [Y/n]?
   WARNING: The following packages cannot be authenticated!
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   Install these packages without verification [y/N]?

Some sources claim that running apt-get update will solve this problem, but it doesn't seem to make a difference for me.

Can anyone see what I've got wrong?  I totally don't understand...

Thanks for your help,

Michael peek

Reply to: