search

aptly-dev / aptly

aptly - Debian repository management tool
https://www.aptly.info/
MIT License
2.55k stars 369 forks source link

Provide means to add archive-keyring file to repo #1183

Closed jniggemann closed 1 year ago

jniggemann commented 1 year ago

Detailed Description

Debian wiki states:

A binary export (gpg --export) of the certificate SHOULD be available at the root of the repository under the filename deriv-archive-keyring.pgp, where deriv is the a short name for the repository. The file SHOULD NOT be ASCII-Armored (gpg --export --armor) although a separate armored version MAY be available under deriv-archive-keyring.asc.

How can I add the exported binary keyfile to a local repo short of copying it over after publishing? I've only started using aptly, but even after intensive searching I'm unable to find in the documentation how to do that.

Did I use unsuitable search terms, or does the documentation need improving, or does that feature not exist?

r4co0n commented 1 year ago

If I'm understanding you correctly, you want to publish the GPG public key that your aptly publish item was signed with together with your publication, so that it would be downloadable via HTTPS, to set-up a client APT source, just like you see in many tutorials?

I would consider this firmly out-of-scope for aptly. Sure, we could write the pubkey somewhere, but where exactly? Do we introduce a new configuration option that tells us where to write this publish's pubkey? You have to run some webserver in front of aptly anyway, unless you want to rely on aptly serve, which I would not recommend, except for development and testing. If you run some webserver, let it serve your ASCII-armored pubkey as you please, but that's of no concern to this project.

Please note that receiving the GPG pubkey to be trusted from exactly the same source as the signed Release file defeats the purpose of signatures, at least if the process is fully automated.

jniggemann commented 1 year ago

If I'm understanding you correctly, you want to publish the GPG public key that your aptly publish item was signed with together with your publication, so that it would be downloadable via HTTPS, to set-up a client APT source, just like you see in many tutorials? Correct. This is only useful in certain scenarios like in a testlab, but still.

I would consider this firmly out-of-scope for aptly. Sure, we could write the pubkey somewhere, but where exactly? Do we introduce a new configuration option that tells us where to write this publish's pubkey? You have to run some webserver in front of aptly anyway, unless you want to rely on aptly serve, which I would not recommend, except for development and testing. If you run some webserver, let it serve your ASCII-armored pubkey as you please, but that's of no concern to this project. We could write the pubkey to the same location that aptly writes its files, i.e. where the webserver picks up the data anyway.

Please note that receiving the GPG pubkey to be trusted from exactly the same source as the signed Release file defeats the purpose of signatures, at least if the process is fully automated. See above, one possible usecase is a testlab. I should have taken the time to include the usecase in my FR.

Closing this, perhaps it's just an unusual edgecase.