GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installing GNU/Linux Basic Survival Wajig Applications AI, Machine Learning, Data Science Android - GNU/Linux Devices Audio Backup Booting CD Chinese ChRoot Clock Command Line Databases DIA Directories Disks EcoSysL Emacs Email Evolution Files File Systems Firewalls Floppy Disks FreedomBox Glade GNOME Graphics, Images, Photos Hardware Initialisations on Booting Installation Examples Internet IOT Java KDE Kernels Keyboard Konqueror KVM Switch LATEX Log System Login Magellan MATE Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks Nextcloud Network File System NFS NT File System Oracle Packages Partitions Passwords PDF Power Management PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Screens Security Spreadsheet SSH Swap Teradata Data Warehouse Themes TV Unity USB Version Control Video Virtualization Voice over IP WebCam WordPress Web Sites Word Processing and Printing X XML Troubleshooting Index

CLICK HERE TO VISIT THE UPDATED SURVIVAL GUIDE

Signing a Local Repository

There may be key issues with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the --noauth option.

  $ wajig --noauth distupgrade

The other option is to sign your Release files. Using wajig's MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:

  PKGCOMP='none gzip'
  SIGNINGKEY=Kayon.Toga@togaware.com

Then ensure Kayon Toga's secret key is available to the root user that runs the apt-move command. You can export the secret key (but do this carefully) with:

  $ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp

Then add this to root's keys:

  # gpg --import ktskexp

Now remove any passphrase so that the file can be singed in batch mode (required when running apt-move):

  # gpg --edit Kayon.Toga@togaware.com
  Command> passwd

So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.