6.43 Signing a Local Repository

There may be key issues with a locally managed archive that is not signed. Even though the AVAIL command will identify that the local archive has preference when it comes to obtaining a package that is available from multiple archives, an authorised archive will always be used in preference. Two solutions are possible. One is to tell wajig not to preference authoritative archives by using the -{-noauth} option.

  $ wajig --noauth distupgrade

The other option is to sign your Release files. Using wajig’s MOVE command requires some setting up to have the Release.gpg file created. First, tell apt-move to create the file (and also to maintain both compressed and uncompressed Package files - a requirement of the current apt version) in the configuration file /etc/apt-move.conf:

  PKGCOMP='none gzip'
  SIGNINGKEY=Kayon.Toga@togaware.com

Then ensure Kayon Toga’s secret key is available to the root user that runs the -, apt, move command. You can export the secret key (but do this carefully) with:

  $ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp

Then add this to root’s keys:

  # gpg --import ktskexp

Now remove any passphrase so that the file can be singed in batch mode (required when running -, apt, move):

  # gpg --edit Kayon.Toga@togaware.com
  Command> passwd

So now apt-move can sign the Release file unattended.

Further explanation is available from http://wiki.debian.org/SecureApt.



Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0