Use GnuPG in an automated environment?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Apr 8 07:57:05 CEST 2014


On 04/08/2014 12:45 AM, Peter Michaux wrote:

> I am creating a Debian APT repository of system packages. I need to
> sign the repository's Release file, creating detached signature file
> Release.gpg, so that packages can be installed on another Debian
> system with `apt-get install` without the complaint "WARNING: The
> following packages cannot be authenticated!". I can manually create
> the Release.gpg file which requires typing my GnuPG key's passphrase.

sorry to not get into the GnuPG specifics, but how are you managing the
apt repository?

the reprepro APT repository management tool includes mechanisms for
specifying which key to use for signing and automatically triggers
signing when something has changed in the repo (or you can ask it to
re-sign if you need that).

  http://mirrorer.alioth.debian.org/

(the debian reprepro package is just fine for this)

i recommend using reprepro to manage the APT respository unless you have
a compelling reason to manage all the rest of this stuff yourself.

You can use reprepro locally to build the repository someplace where you
have access to the signing key and then use rsync or the equivalent to
push out the updates to any network-accessible mirrors.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140408/94019489/attachment.sig>


More information about the Gnupg-users mailing list