GPG sign with multiple keys for the apt Release file?
287 views
Skip to first unread message
Jeremy C. Reed
Aug 25, 2017, 2:13:09 PM8/25/17
to aptly-...@googlegroups.com
Any way to gpg dual-sign the Release file with aptly? I don't see as an
option. (I am researching to replace reprepro with aptly.)
I don't see a way to pass two different passphrases also.
I am using a key rollover scenario. One key is old (and not supported
for some Debian systems) and will be deprecated and removed.
Currently I am using reprepro and two keys are used to sign the package
metadata (using multiple keys set with reprepro "SignWith"). (And
gpg-agent to sign both in my automated continuous integration. Or for
manual builds I enter the two phrases when reprepro prompts twice.)
The apt-get update works if it can verify using one of the keys.
(On a related note, I see aptly prompts for phrase twice for same key
for sign and clearsign.)
If aptly doesn't support signing multiple times, I can work around that.
(One idea is to -skip-signing and then post process the Release file
with gpg without aptly.)
If you have any experiences with key replacement using aptly, please
share.
Thanks,
Jeremy C. Reed
echo 'EhZ[h ^jjf0%%h[[Zc[Z_W$d[j%Xeeai%ZW[ced#]dk#f[d]k_d%' | \
tr '#-~' '\-.-{'
option. (I am researching to replace reprepro with aptly.)
I don't see a way to pass two different passphrases also.
I am using a key rollover scenario. One key is old (and not supported
for some Debian systems) and will be deprecated and removed.
Currently I am using reprepro and two keys are used to sign the package
metadata (using multiple keys set with reprepro "SignWith"). (And
gpg-agent to sign both in my automated continuous integration. Or for
manual builds I enter the two phrases when reprepro prompts twice.)
The apt-get update works if it can verify using one of the keys.
(On a related note, I see aptly prompts for phrase twice for same key
for sign and clearsign.)
If aptly doesn't support signing multiple times, I can work around that.
(One idea is to -skip-signing and then post process the Release file
with gpg without aptly.)
If you have any experiences with key replacement using aptly, please
share.
Thanks,
Jeremy C. Reed
echo 'EhZ[h ^jjf0%%h[[Zc[Z_W$d[j%Xeeai%ZW[ced#]dk#f[d]k_d%' | \
tr '#-~' '\-.-{'
eric.g...@puppet.com
May 11, 2020, 7:45:44 PM5/11/20
to aptly-discuss
I'm facing this at the moment. I realize it's a few years old but did you every find a satisfactory way of dealing with the key rollover?
Thanks,
Eric
Reply all
Reply to author
Forward
0 new messages