Use GnuPG in an automated environment?
Peter Michaux
petermichaux at gmail.com
Tue Apr 8 06:45:20 CEST 2014
Hi,
I am creating a Debian APT repository of system packages. I need to
sign the repository's Release file, creating detached signature file
Release.gpg, so that packages can be installed on another Debian
system with `apt-get install` without the complaint "WARNING: The
following packages cannot be authenticated!". I can manually create
the Release.gpg file which requires typing my GnuPG key's passphrase.
I want to automate/script the creation of all the repository's
generated files so that a cron job can generate them when the
repository's package list changes. This means that creating the
Release.gpg file cannot require my GnuPG key's passphrase. I have
actually succeeded at creating the Release.gpg file without needing my
GnuPG key's passphrase following a combination of the instructions
from the following.
* http://www.gnupg.org/faq/gnupg-faq.html#automated_use
* http://www.slpicare.org/unix/automating_signing_with_GPG.html
The process is complex enough that I have little confidence that I'm
doing everything correctly and/or securely. I'm experimenting and
trying to understand all the related commands better. I noticed
something that seems incorrect or at least suspicious and worth asking
about.
I can list all of the keys that I've created.
peter at alpha.com:~$ gpg --homedir ~/.gnupg.insec --list-keys
/home/peter/.gnupg.insec/pubring.gpg
------------------------------------
pub 2048D/13FC9B38 2014-04-07
uid Peter Michaux (My Comment) <petermichaux at gmail.com>
sub 2048g/A2D0ED65 2014-04-07
sub 2048D/215D17CD 2014-04-07
The first two keys, 13FC9B38 and A2D0ED65, were the ones created when
I originally used `gpg --gen-key`. I followed the tutorials about
using GnuGP in an automated environment to create the third key,
215D17CD, with no password.
To understand things better, I want to ensure that I can properly
select/control the key I want to use during signing with the
`--default-key` option to the `gpg` command line tool. This is where
things look suspicous to me.
peter at alpha.com:~/drepo$ gpg --homedir ~/.gnupg.insec \
--verbose \
--detach-sign \
--default-key 13FC9B38 \
--output dists/stable/Release.gpg \
dists/stable/Release
gpg: using subkey 215D17CD instead of primary key 13FC9B38
gpg: writing to `dists/stable/Release.gpg'
gpg: using subkey 215D17CD instead of primary key 13FC9B38
gpg: DSA/SHA256 signature from: "215D17CD Peter Michaux (Black
Iron Beast) <petermichaux at gmail.com>"
Why does gpg use the third key in the list when I've specifically
requested it use the first key in the list? (Yes, ultimately I want to
use the third key in the list but I want to know why gpg is defing my
wishes in the above command.)
Thanks.
Peter
More information about the Gnupg-users
mailing list