Adding GPG key for my local mirror.

4,764 views
Skip to first unread message

NiteSupport

unread,
Apr 12, 2017, 5:04:51 AM4/12/17
to aptly-discuss

Hello,

 

I have set up a local repository (mirror of Jessie main).

( https://groups.google.com/forum/#!searchin/aptly-discuss/gpg%7Csort:relevance/aptly-discuss/-CO20NlEvms/SMU8t9JmDAAJ )

 

It works, and now I’d like to solve the GPG key problem.

 

I got this message at the end of the publish process

Don't forget to add your GPG key to apt with apt-key

 

And when I install something I get

WARNING: The following packages cannot be authenticated!

  vlc

Install these packages without verification? [y/N]

 

It’s not so important because it’s for internal needs, but it will be cool to install packages without warning.

 

I’ve read this

https://wiki.debian.org/SecureApt

 

But it stills not clear for me.

First, does the part

“7. How to find and add a key” match my needs,

or “12. Setting up a secure apt repository”


Thanks

Bernd Naumann

unread,
Apr 12, 2017, 5:37:34 AM4/12/17
to NiteSupport, aptly-discuss
Hi,

You do not need chapter 12, only 7. If you use `aptly publish` with the gpg options then the release file are signed. So you only need the pub-key to the clients apt-key ring.

See also https://www.aptly.info/doc/aptly/publish/

Best,
Bernd
--
You received this message because you are subscribed to the Google Groups "aptly-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aptly-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

NiteSupport

unread,
Apr 18, 2017, 5:52:03 AM4/18/17
to aptly-discuss, snai...@gmail.com

Hello

 

It is still not working.

recap:

During the repository configuration I ran this command gpg --gen-key

 

The command apt-key list gives me this


root@debian-aptly:~# apt-key list

/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg

----------------------------------------------------------

pub   4096R/2B90D010 2014-11-21 [expires: 2022-11-19]

uid                  Debian Archive Automatic Signing Key (8/jessie) <ftpm...@debian.org>

 

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg

-------------------------------------------------------------------

pub   4096R/C857C906 2014-11-21 [expires: 2022-11-19]

uid                  Debian Security Archive Automatic Signing Key (8/jessie) <ftpm...@debian.org>

 

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg

-------------------------------------------------------

pub   4096R/518E17E1 2013-08-17 [expires: 2021-08-15]

uid                  Jessie Stable Release Key debian-...@lists.debian.org

 

And so on…

 

 

Also, from https://www.aptly.info/doc/aptly/publish/

I understand that I have to run this command

gpg --export --armor (on the repository)

And I got this output


nite@debian-aptly:~$ gpg --export --armor

gpg: directory `/home/nite/.gnupg' created

gpg: new configuration file `/home/nite/.gnupg/gpg.conf' created

gpg: WARNING: options in `/home/nite/.gnupg/gpg.conf' are not yet active during this run

gpg: keyring `/home/nite/.gnupg/secring.gpg' created

gpg: keyring `/home/nite/.gnupg/pubring.gpg' created

gpg: WARNING: nothing exported

nite@debian-aptly:~$

 

Is the message gpg: WARNING: nothing exported is a problem?

 

And now I’m supposed to run apt-key “on all machines that would be using published repositories.”

I’ve read this http://man.he.net/man8/apt-key but I don’t understand what I need to do with this command (my repo IP is 10.0.200.200)

 

And, it is written

GPG key is required to sign any published repository. Key should be generated before publishing first repository.

 

I already did aptly publish snapshot…

Is it a problem?

 

Thanks

Andrey Smirnov

unread,
Apr 18, 2017, 11:40:45 AM4/18/17
to NiteSupport, aptly-discuss
Hi!

There're two things: 

1) machine/user which runs aptly and manages repository, publishes it
2) machine/user which runs apt-get commands (downloads from repository)

On (1) you need to have GPG set up properly, including --gen-key. On (1) you need to export your key.

On (2) you need to import your keys with apt-key before you run apt-get update.

Shmuel Touitou

unread,
Apr 19, 2017, 6:39:30 AM4/19/17
to Andrey Smirnov, aptly-discuss

Hello

 

OK and thanks,

 

I suppose that GPG is set up properly on the repo

I did:

gpg --gen-key

and

gpg --export --armor

And under

/root/.gnupg

I have those files

-rw------- 1 root root  9188 Apr 13 10:25 gpg.conf

-rw------- 1 root root  1211 Apr 19 08:41 pubring.gpg

-rw------- 1 root root  1211 Apr 19 08:41 pubring.gpg~

-rw------- 1 root root   600 Apr 19 09:11 random_seed

-rw------- 1 root root  2589 Apr 19 08:41 secring.gpg

-rw------- 1 root root  1280 Apr 19 08:41 trustdb.gpg

-rw------- 1 root root 26628 Apr 13 10:27 trustedkeys.gpg

-rw------- 1 root root 26628 Apr 13 10:27 trustedkeys.gpg~

 

On the “client” machine …

I know that I have to do apt-key, but how?

I’ve read this http://man.he.net/man8/apt-key and I don’t know how to write this command

So,

If the repo’s IP address is 10.0.200.200

And on the repository the files are under /root/.gnupg on the repository (if those are the files)

 

Can you show me how to write this command.

 

Thanks


To unsubscribe from this group and stop receiving emails from it, send an email to aptly-discuss+unsubscribe@googlegroups.com.

Bernd Naumann

unread,
Apr 19, 2017, 10:39:49 AM4/19/17
to aptly-discuss
Hi,

the easiest/simplest way is to copy the pub key file to the client, and then add it.

1. Export the pub key to a file
gpg --export --armor > "yourkey.pub"

2. copy the file to the client, i.e. with `scp`

3. on the client: `cat yourkey.pub | apt-key add -`

4. Check with `apt-key list` if your you was properly added

5. `apt update` to see if now everything works as expected.


In general, I personally have the pub-key accessible via http to provide it for clients, and also a simple package which adds my repos and the key, so a client can just fetch the package (and install it with `dpkg -i`) or just fetch the key in a preseed environment.
>> *recap:*
>>
>> During the repository configuration I ran this command *gpg --gen-key*
>>
>>
>>
>> The command *apt-key list* gives me this
>> Is the message *gpg: WARNING: nothing exported* is a problem?
>>
>>
>>
>> And now I’m supposed to run apt-key “on all machines that would be using
>> published repositories.”
>>
>> I’ve read this http://man.he.net/man8/apt-key but I don’t understand
>> what I need to do with this command (my repo IP is 10.0.200.200)
>>
>>
>>
>> And, it is written
>>
>> GPG key is required to sign any published repository. *Key should be
>> generated before publishing first repository*.

Shmuel Touitou

unread,
Apr 24, 2017, 9:42:18 AM4/24/17
to Bernd Naumann, aptly-discuss
Hi
It works,
Thanks a lot.



>> For more options, visit https://groups.google.com/d/optout.
>>
>

--
You received this message because you are subscribed to the Google Groups "aptly-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aptly-discuss+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "aptly-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/aptly-discuss/If-dIFP0YGk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to aptly-discuss+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages