0

On my environment the packages are created by running 'debuild -b' and uploaded to the debian repository with dput. The debuild step is telling me that the package has been signed so should be cool. I have my keys generated with gpg, it's asking for the passphrase, no problem here I guess.

The debian repository has mini-dinstall running as daemon.

Now when I'm installing the new package from the repository server and I got the 'signature could not be verified' warning. Where is the missing/wrong step(s) and what are the best practices to sign the deb packages?

V. Albastonio
  • 1
  • 2

1 Answers1

1

With regard to Debian packages and archives there are two types of signing. The first is the actual .deb files (and .orig.tar.gz, .changes and .dsc), and the second is the generated archive metadata (the Release file specifically). The signing that happens as part of debuild is the former, and this signature is only used to verify that you're allowed to add packages to the archive (i.e. it is checked by reprepro or mini-dinstall as part of the incoming package processing). The latter type of signing needs to be done by the archive manager (reprepro, mini-dinstall, or sometimes manually), and this is the signature which is verified by aptitude and apt-get when downloading and installing packages.

It sounds like you haven't setup signing of the generated archive metadata. You can either do this by creating and configuring mini-dinstall with a release_signscript, or by manually signing the Release file and putting the signature in Release.gpg everytime the archive is changed. You then obviously need to add the key on the machines installing the packages using apt-key.

mgorven
  • 30,036
  • 7
  • 76
  • 121