aptly-dev / aptly

aptly - Debian repository management tool
https://www.aptly.info/
MIT License
2.58k stars 376 forks source link

Supporting multiple keys for signing repositories #691

Open lazyfrosch opened 6 years ago

lazyfrosch commented 6 years ago

With the plan of transition keys with a repository I wondered if we can support this in aptly.

Detailed Description

Debian signs its repositories with multiple keys, using multiple generations of keys over each release.

It might be wise to support this in aptly. Mainly for changing keys without breaking users right away.

Sources:

Context

Possible Implementation

While configuration would be easy (just setting multiple key IDs), it might be tricky to do with gnupg2.

I haven't done much testing yet, but had a look on the Debian repositories.

RadxaYuntian commented 7 months ago

Unfortunately this is still a problem. We "naively" used the default 2-year lifetime for our signing key, instead of Debian's 8-year or Proxmox's 10-year, and now we are facing keyring migration issue.

Right now, we have to manually sign the Release file by passing -skip-signing to aptly publish repo, then run following commands:

GPG_PARAMETERS=(
    "--yes"
    "--armor"
    "-u" "72AF2B5F7B24A8FFE4F41AC4E572249A33EB9743"
    "-u" "EF181314AFE1834694A34CC65D93177D0752732A"
)

for i in "$HOME"/.aptly/public/*/dists/*/Release
do
    DISTRO_PATH="$(dirname "$i")"
    gpg "${GPG_PARAMETERS[@]}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
    gpg "${GPG_PARAMETERS[@]}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
done