Go to TogaWare.com Home Page. GNU/Linux Desktop Survival Guide
by Graham Williams
Duck Duck Go

Signing a Local Repository

There may be key issues with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the --noauth option.

  $ wajig --noauth distupgrade
The other option is to sign your Release files. Using wajig's MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:
  PKGCOMP='none gzip'
  SIGNINGKEY=Kayon.Toga@togaware.com
Then ensure Kayon Toga's secret key is available to the root user that runs the apt-move command. You can export the secret key (but do this carefully) with:
  $ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp
Then add this to root's keys:
  # gpg --import ktskexp
Now remove any passphrase so that the file can be singed in batch mode (required when running apt-move):
  # gpg --edit Kayon.Toga@togaware.com
  Command> passwd
So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.


Support further development by purchasing the PDF version of the book.
Other online resources include the Data Science Desktop Survival Guide.
Books available on Amazon include Data Mining with Rattle and Essentials of Data Science.
Popular open source software includes rattle and wajig.
Hosted by Togaware, a pioneer of free and open source software since 1984.
Copyright © 1995-2020 Togaware Pty Ltd. . Creative Commons ShareAlike V4.