Secure Apt and the Emdebian Archive
Apt has supported GnuPG signatures on repository
files for some time and Emdebian includes this support via the
Emdebian Archive Signing Key.
$ gpg --fingerprint 0x97BB3B58 pub 1024D/97BB3B58 2007-04-30 Key fingerprint = 3EC0 AFB9 4A84 5900 282E 7A55 B5B7 7200 97BB 3B58 uid Emdebian Archive Signing Key sub 2048g/FEFD537E 2007-04-30
Stable releases are also signed by other relevant Debian keys, including 0x28BCB3E3, in order to make it simpler to use Debian Installer and other Debian tools.
$ gpg --fingerprint 0x28BCB3E3 pub 1024D/28BCB3E3 2002-01-27 Key fingerprint = 4CD4 6644 C105 48ED CA28 EC36 8801 094A 28BC B3E3 uid Neil Williams (Debian) uid Neil Williams (CodeHelp) uid N Williams (CodeHelp) uid Neil Williams (general) uid Neil Williams (Linux User Group) uid Neil Williams (Devon and Cornwall LUG) sub 1024g/AD3CB326 2002-01-27
The Emdebian Archive Signing key is included in the emdebian-archive-keyring package and configured for you during package installation. (0x28BCB3E3 is to be added in version 1.5.1 of emdebian-archive-keyring. Other Debian keys are provided by the debian-archive-keyring package which is part of a standard Emdebian installation.)
$ sudo apt-get install emdebian-archive-keyring
Alternatively, you can configure the keys yourself using the instructions below.
$ gpg --recv-key 0x97BB3B58 0x28BCB3E3 $ gpg --fingerprint 0x97BB3B58 0x28BCB3E3
You can also download the Emdebian Archive Signing key direct from this server.
Verify the fingerprint of your copy of the keys against the fingerprints above and then check the signatures on the key:
$ gpg --recv-key 0x28BCB3E3 0x174FEE35 0xA897FD02 $ gpg --check-sigs 0x97BB3B58
If all checks out, add 0x97BB3B58 and 0x28BCB3E3 to apt:
$ gpg -a --export 0x97BB3B58 0x28BCB3E3 > emdebian.key $ sudo apt-key add emdebian.key $ sudo apt-get update
The main advantage of importing the Emdebian key into apt-key is that packages from Emdebian can then be upgraded automatically without halting for confirmation due to otherwise unverifiable packages. The key authenticates the repository to apt and is used to ensure that the Release file in the repository is genuine.
Implementing and using Secure Apt in reprepro
The secret key for the GnuPG key specified with SignWith: needs to be in the secret keyring of each user performing repository updates.
To verify the release files of repositories using Secure Apt from the update rules of a reprepro repository, copy /etc/apt/trusted.gpg to ~/.gnupg/trustedkeys.gpg for all users who need to run updates. To add keys to the list available for gpgv use:
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import keys.gpg
More information on Secure Apt.
$ apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01] uid Debian Archive Automatic Signing Key (4.0/etch) pub 1024D/ADB11277 2006-09-17 uid Etch Stable Release Key pub 1024D/BBE55AB3 2007-03-31 [expires: 2010-03-30] uid Debian-Volatile Archive Automatic Signing Key (4.0/etch) sub 2048g/36CA98F3 2007-03-31 [expires: 2010-03-30] pub 1024D/F42584E6 2008-04-06 [expires: 2012-05-15] uid Lenny Stable Release Key pub 1024D/97BB3B58 2007-04-30 uid Emdebian Archive Signing Key sub 2048g/FEFD537E 2007-04-30 pub 1024D/28BCB3E3 2002-01-27 uid Neil Williams (Debian) uid N Williams (CodeHelp) uid Neil Williams (general) uid Neil Williams (CodeHelp) uid Neil Williams (Linux User Group) uid Neil Williams (Devon and Cornwall LUG) sub 1024g/AD3CB326 2002-01-27
Back to the Emdebian Project homepage.