Hello gurus,
I'm hoping someone can give me a hand.
I have been running my own repository for a while now, and with the
release of etch as the new stable just around the corner, I would like
to add my own authentication to my repository. So I set up an install
host running etch, put a repository on it, and followed the instructions
to set up authentication -- but it's a no-go. I admit that I have a
problem understanding what I'm doing, since I've never used gnupg or pgp
before. I'm hoping some kind soul on the list here can take a look at
what I've done and will see what I've got wrong.
Here's what I've done:
1) First, I created a gpg key with the following script, gpg-gen-key.
It relies on the existence of a file named passphrase.txt that holds my
passphrase. (The whole process is automated on a secure host, so I'm
not worried about users being able to read the file.) The script follows:
#!/bin/bash
set -e
set -x
this_dir=$(cd $(dirname "${0}") && pwd)
gpg_home="${this_dir}/.gnupg"
input_file="${this_dir}/input.txt"
test -d "${gpg_home}" \
|| mkdir "${gpg_home}"
test -d "${gpg_home}" \
&& chmod 0700 "${gpg_home}"
test -f "${this_dir}/passphrase.txt"
test -f "${this_dir}/input.txt" \
|| cat > "${input_file}" << EOF
1
2048
0
y
Michael Peek
[EMAIL PROTECTED]
o
EOF
test -f "${gpg_home}/pubring.gpg" \
|| gpg \
--homedir "${gpg_home}" \
--command-file "${this_dir}/input.txt" \
--passphrase-file "${this_dir}/passphrase.txt" \
--gen-key \
2>&1
str=$( \
gpg --homedir "${gpg_home}" --list-keys 2>&1 \
| grep '^pub' \
| head -1 \
| awk '{print $2}' \
| awk -F/ '{print $2}' \
)
echo "${str}" > tiem.id
test -f tiem.key \
|| gpg --homedir "${gpg_home}" --armor --export "${str}" > tiem.key
# vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:
This script generates a .gnupg/ directory, and spits out a tiem.key file
containing the key that I give to apt-key on my clients. An example of
each file:
tiem.key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)
mQGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9pq
...stuff...
...stuff...
...stuff...
D8NXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXJqR
dKKfig==
=8w/+
-----END PGP PUBLIC KEY BLOCK-----
tiem.id:
666C18A7
2) Next, I use the above keys to sign my Release file, placing the
signature in Release.gpg. This is done with another script, gpg-sign,
which follows:
#!/bin/bash
set -e
set -x
this_dir=$(cd $(dirname "${0}") && pwd)
gpg_home="${this_dir}/.gnupg"
test -d "${gpg_home}"
test -f "${this_dir}/passphrase.txt"
gpg --homedir ${gpg_home} --list-keys
str=$( \
gpg --homedir ${gpg_home} --list-keys 2>&1 \
| grep '^pub' \
| head -1 \
| awk '{print $2}' \
| awk -F/ '{print $2}' \
)
test ! -f "${2}" \
|| rm -f "${2}"
gpg \
--homedir "${gpg_home}" \
--passphrase-file "${this_dir}/passphrase.txt" \
--default-key "${str}" \
-abs \
-o "${2}" "${1}" \
2>&1
# vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:
An example of the Release.gpg file:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA8d
Z6CXXXXXXXXXXXXXXXXXXQw=
=3twD
-----END PGP SIGNATURE-----
3) On the client I add the key generated above in step 1 via apt-key.
The output of apt-key list is as follows:
/etc/apt/trusted.gpg
--------------------
pub 1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
uid Debian Archive Automatic Signing Key (2006)
<[EMAIL PROTECTED]>
pub 1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch)
<[EMAIL PROTECTED]>
pub 1024D/1F41B907 1999-10-03
uid Christian Marillat <[EMAIL PROTECTED]>
uid Christian Marillat <[EMAIL PROTECTED]>
sub 1536g/C28DCC42 1999-10-03
sub 1024D/5D3877A7 2002-08-26
pub 1024D/666C18A7 2007-02-27
uid Michael Peek <[EMAIL PROTECTED]>
sub 2048g/969F8B67 2007-02-27
pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key
<debian-release@lists.debian.org>
Notice the 666C18A7 key -- that's mine.
4) I run apt-get update, and get:
Ign http://install1 etch Release.gpg
Ign http://install1 etch Release
Ign http://install1 etch/main Packages/DiffIndex
Ign http://install1 etch/non-free Packages/DiffIndex
Ign http://install1 etch/contrib Packages/DiffIndex
Ign http://install1 etch/main Packages
Ign http://install1 etch/non-free Packages
Ign http://install1 etch/contrib Packages
Hit http://install1 etch/main Packages
Hit http://install1 etch/non-free Packages
Hit http://install1 etch/contrib Packages
Get:1 http://security.debian.org etch/updates Release.gpg [189B]
Get:2 http://ftp.us.debian.org etch Release.gpg [189B]
Hit http://security.debian.org etch/updates Release
Hit http://ftp.us.debian.org etch Release
Get:3 http://debian-multimedia.org etch Release.gpg [189B]
Ign http://security.debian.org etch/updates/main Packages/DiffIndex
Hit http://ftp.us.debian.org etch/main Packages/DiffIndex
Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
Hit http://debian-multimedia.org etch Release
Hit http://ftp.us.debian.org etch/non-free Packages/DiffIndex
Hit http://ftp.us.debian.org etch/contrib Packages/DiffIndex
Hit http://ftp.us.debian.org etch/main Sources/DiffIndex
Hit http://ftp.us.debian.org etch/non-free Sources/DiffIndex
Hit http://ftp.us.debian.org etch/contrib Sources/DiffIndex
Hit http://security.debian.org etch/updates/main Packages
Hit http://security.debian.org etch/updates/contrib Packages
Ign http://debian-multimedia.org etch/main Packages/DiffIndex
Hit http://security.debian.org etch/updates/non-free Packages
Hit http://debian-multimedia.org etch/main Packages
Fetched 191B in 1s (140B/s)
Reading package lists... Done
The lines that read "http://install1"; are for my repository. Notice that
apt-get does in fact (claim to) download my Release.gpg file.
5) But when I go to install a package from my repository, I get the
following error:
# apt-get install tiem-exim4-workstation-cfg
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
tiem-exim4-common-cfg
The following NEW packages will be installed:
tiem-exim4-common-cfg tiem-exim4-workstation-cfg
0 upgraded, 2 newly installed, 0 to remove and 23 not upgraded.
Need to get 0B/26.2kB of archives.
After unpacking 258kB of additional disk space will be used.
Do you want to continue [Y/n]?
WARNING: The following packages cannot be authenticated!
tiem-exim4-common-cfg tiem-exim4-workstation-cfg
Install these packages without verification [y/N]?
Some sources claim that running apt-get update will solve this problem,
but it doesn't seem to make a difference for me.
Can anyone see what I've got wrong? I totally don't understand...
Thanks for your help,
Michael peek
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
