Open lazyfrosch opened 6 years ago
Unfortunately this is still a problem. We "naively" used the default 2-year lifetime for our signing key, instead of Debian's 8-year or Proxmox's 10-year, and now we are facing keyring migration issue.
Right now, we have to manually sign the Release file by passing -skip-signing
to aptly publish repo
, then run following commands:
GPG_PARAMETERS=(
"--yes"
"--armor"
"-u" "72AF2B5F7B24A8FFE4F41AC4E572249A33EB9743"
"-u" "EF181314AFE1834694A34CC65D93177D0752732A"
)
for i in "$HOME"/.aptly/public/*/dists/*/Release
do
DISTRO_PATH="$(dirname "$i")"
gpg "${GPG_PARAMETERS[@]}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
gpg "${GPG_PARAMETERS[@]}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
done
With the plan of transition keys with a repository I wondered if we can support this in aptly.
Detailed Description
Debian signs its repositories with multiple keys, using multiple generations of keys over each release.
It might be wise to support this in aptly. Mainly for changing keys without breaking users right away.
Sources:
Context
Possible Implementation
While configuration would be easy (just setting multiple key IDs), it might be tricky to do with gnupg2.
I haven't done much testing yet, but had a look on the Debian repositories.