Custom repository and "WARNING: The following packages cannot be authenticated!"

[Michael S. Peek]

Hello gurus,

I'm hoping someone can give me a hand.
I have been running my own repository for a while now, and with the 
release of etch as the new stable just around the corner, I would like 
to add my own authentication to my repository.  So I set up an install 
host running etch, put a repository on it, and followed the instructions 
to set up authentication -- but it's a no-go.  I admit that I have a 
problem understanding what I'm doing, since I've never used gnupg or pgp 
before.  I'm hoping some kind soul on the list here can take a look at 
what I've done and will see what I've got wrong.

Here's what I've done:

1) First, I created a gpg key with the following script, gpg-gen-key.  
It relies on the existence of a file named passphrase.txt that holds my 
passphrase.  (The whole process is automated on a secure host, so I'm 
not worried about users being able to read the file.)  The script follows:

   #!/bin/bash

   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)
   gpg_home="${this_dir}/.gnupg"
   input_file="${this_dir}/input.txt"

   test -d "${gpg_home}" \
   || mkdir "${gpg_home}"
   test -d "${gpg_home}" \
   && chmod 0700 "${gpg_home}"

   test -f "${this_dir}/passphrase.txt"
   test -f "${this_dir}/input.txt" \
   || cat > "${input_file}" << EOF
   1
   2048
   0
   y
   Michael Peek
   [EMAIL PROTECTED]

   o

   EOF

   test -f "${gpg_home}/pubring.gpg" \
   || gpg \
           --homedir "${gpg_home}" \
           --command-file "${this_dir}/input.txt" \
           --passphrase-file "${this_dir}/passphrase.txt" \
           --gen-key \
           2>&1

   str=$( \
       gpg --homedir "${gpg_home}" --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \
       )

   echo "${str}" > tiem.id

   test -f tiem.key \
   || gpg --homedir "${gpg_home}" --armor --export "${str}" > tiem.key

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

This script generates a .gnupg/ directory, and spits out a tiem.key file 
containing the key that I give to apt-key on my clients.  An example of 
each file:

tiem.key:

   -----BEGIN PGP PUBLIC KEY BLOCK-----
   Version: GnuPG v1.4.6 (GNU/Linux)

   mQGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9pq

   ...stuff...

   ...stuff...

   ...stuff...

   D8NXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXJqR
   dKKfig==
   =8w/+
   -----END PGP PUBLIC KEY BLOCK-----

tiem.id:

   666C18A7

2) Next, I use the above keys to sign my Release file, placing the 
signature in Release.gpg.  This is done with another script, gpg-sign, 
which follows:

   #!/bin/bash

   set -e
   set -x

   this_dir=$(cd $(dirname "${0}") && pwd)
   gpg_home="${this_dir}/.gnupg"
   test -d "${gpg_home}"
   test -f "${this_dir}/passphrase.txt"
   gpg --homedir ${gpg_home} --list-keys
   str=$( \
       gpg --homedir ${gpg_home} --list-keys 2>&1 \
       | grep '^pub' \
       | head -1 \
       | awk '{print $2}' \
       | awk -F/ '{print $2}' \
       )

   test ! -f "${2}" \
   || rm -f "${2}"

   gpg \
       --homedir "${gpg_home}" \
       --passphrase-file "${this_dir}/passphrase.txt" \
       --default-key "${str}" \
       -abs \
       -o "${2}" "${1}" \
       2>&1

   # vim:ts=2:shiftwidth=2:filetype=sh:syntax=sh:

An example of the Release.gpg file:

   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v1.4.6 (GNU/Linux)

   iD8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA8d
   Z6CXXXXXXXXXXXXXXXXXXQw=
   =3twD
   -----END PGP SIGNATURE-----

3) On the client I add the key generated above in step 1 via apt-key.  
The output of apt-key list is as follows:

   /etc/apt/trusted.gpg
   --------------------
   pub   1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
   uid                  Debian Archive Automatic Signing Key (2006)
   <[EMAIL PROTECTED]>

   pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
   uid                  Debian Archive Automatic Signing Key (4.0/etch)
   <[EMAIL PROTECTED]>

   pub   1024D/1F41B907 1999-10-03
   uid                  Christian Marillat <[EMAIL PROTECTED]>
   uid                  Christian Marillat <[EMAIL PROTECTED]>
   sub   1536g/C28DCC42 1999-10-03
   sub   1024D/5D3877A7 2002-08-26

   pub   1024D/666C18A7 2007-02-27
   uid                  Michael Peek <[EMAIL PROTECTED]>
   sub   2048g/969F8B67 2007-02-27

   pub   1024D/ADB11277 2006-09-17
   uid                  Etch Stable Release Key
   <debian-release@lists.debian.org>

Notice the 666C18A7 key -- that's mine.

4) I run apt-get update, and get:

   Ign http://install1 etch Release.gpg
   Ign http://install1 etch Release
   Ign http://install1 etch/main Packages/DiffIndex
   Ign http://install1 etch/non-free Packages/DiffIndex
   Ign http://install1 etch/contrib Packages/DiffIndex
   Ign http://install1 etch/main Packages
   Ign http://install1 etch/non-free Packages
   Ign http://install1 etch/contrib Packages
   Hit http://install1 etch/main Packages
   Hit http://install1 etch/non-free Packages
   Hit http://install1 etch/contrib Packages
   Get:1 http://security.debian.org etch/updates Release.gpg [189B]
   Get:2 http://ftp.us.debian.org etch Release.gpg [189B]
   Hit http://security.debian.org etch/updates Release
   Hit http://ftp.us.debian.org etch Release
   Get:3 http://debian-multimedia.org etch Release.gpg [189B]
   Ign http://security.debian.org etch/updates/main Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Packages/DiffIndex
   Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
   Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
   Hit http://debian-multimedia.org etch Release
   Hit http://ftp.us.debian.org etch/non-free Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Packages/DiffIndex
   Hit http://ftp.us.debian.org etch/main Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/non-free Sources/DiffIndex
   Hit http://ftp.us.debian.org etch/contrib Sources/DiffIndex
   Hit http://security.debian.org etch/updates/main Packages
   Hit http://security.debian.org etch/updates/contrib Packages
   Ign http://debian-multimedia.org etch/main Packages/DiffIndex
   Hit http://security.debian.org etch/updates/non-free Packages
   Hit http://debian-multimedia.org etch/main Packages
   Fetched 191B in 1s (140B/s)
   Reading package lists... Done

The lines that read "http://install1"; are for my repository. Notice that 
apt-get does in fact (claim to) download my Release.gpg file.

5) But when I go to install a package from my repository, I get the 
following error:

   # apt-get install tiem-exim4-workstation-cfg
   Reading package lists... Done
   Building dependency tree... Done
   The following extra packages will be installed:
     tiem-exim4-common-cfg
   The following NEW packages will be installed:
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   0 upgraded, 2 newly installed, 0 to remove and 23 not upgraded.
   Need to get 0B/26.2kB of archives.
   After unpacking 258kB of additional disk space will be used.
   Do you want to continue [Y/n]?
   WARNING: The following packages cannot be authenticated!
     tiem-exim4-common-cfg tiem-exim4-workstation-cfg
   Install these packages without verification [y/N]?

Some sources claim that running apt-get update will solve this problem, 
but it doesn't seem to make a difference for me.

Can anyone see what I've got wrong?  I totally don't understand...

Thanks for your help,

Michael peek


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]