Closed jniggemann closed 1 year ago
If I'm understanding you correctly, you want to publish the GPG public key that your aptly publish item was signed with together with your publication, so that it would be downloadable via HTTPS, to set-up a client APT source, just like you see in many tutorials?
I would consider this firmly out-of-scope for aptly. Sure, we could write the pubkey somewhere, but where exactly? Do we introduce a new configuration option that tells us where to write this publish's pubkey? You have to run some webserver in front of aptly anyway, unless you want to rely on aptly serve
, which I would not recommend, except for development and testing. If you run some webserver, let it serve your ASCII-armored pubkey as you please, but that's of no concern to this project.
Please note that receiving the GPG pubkey to be trusted from exactly the same source as the signed Release file defeats the purpose of signatures, at least if the process is fully automated.
If I'm understanding you correctly, you want to publish the GPG public key that your aptly publish item was signed with together with your publication, so that it would be downloadable via HTTPS, to set-up a client APT source, just like you see in many tutorials? Correct. This is only useful in certain scenarios like in a testlab, but still.
I would consider this firmly out-of-scope for aptly. Sure, we could write the pubkey somewhere, but where exactly? Do we introduce a new configuration option that tells us where to write this publish's pubkey? You have to run some webserver in front of aptly anyway, unless you want to rely on
aptly serve
, which I would not recommend, except for development and testing. If you run some webserver, let it serve your ASCII-armored pubkey as you please, but that's of no concern to this project. We could write the pubkey to the same location that aptly writes its files, i.e. where the webserver picks up the data anyway.Please note that receiving the GPG pubkey to be trusted from exactly the same source as the signed Release file defeats the purpose of signatures, at least if the process is fully automated. See above, one possible usecase is a testlab. I should have taken the time to include the usecase in my FR.
Closing this, perhaps it's just an unusual edgecase.
Detailed Description
Debian wiki states:
How can I add the exported binary keyfile to a local repo short of copying it over after publishing? I've only started using aptly, but even after intensive searching I'm unable to find in the documentation how to do that.
Did I use unsuitable search terms, or does the documentation need improving, or does that feature not exist?