Also sign InRelease for Jessie & Stretch (not just Xenial)

krobertson / deb-s3

Easily create and manage an APT repository on S3 -- NO LONGER MAINTAINED

MIT License

482 stars 148 forks source link

Also sign InRelease for Jessie & Stretch (not just Xenial) #126

Closed russmac closed 6 years ago

russmac commented 7 years ago

InRelease is only signed for Xenial due the logic on line 106.

This change causes it to also be signed for Debian Jessie & Stretch.

Its not the most elegant fix, An array of release names that require InRelease signing should probably be set somewhere and if release_array.include? "self.codename" used.

I also had to regenerate the signing key to sign with SHA-256 by adding these lines to ~/.gnupg/gpg.conf

After this my apt updates worked with 0 errors.

personal-digest-preferences SHA256
cert-digest-algo SHA256

JedMeister commented 6 years ago

@russmac - Thanks for this. Thanks too for your hint on gpg conf. FWIW I didn't need to regenerate keys, changing those settings seemed to be enough to resolve my issues with a Stretch repo?!

russmac commented 6 years ago

@JedMeister Thanks for pointing that out, I think I had two seperate issues. My key was a SHA type considered sufficiently weak enough that it did need to be redone for apt-secure to consider it acceptable, It also wasn't being used to sign. Yours was probably one it accepted.

russmac commented 6 years ago

@krobertson Any comments on this? It resolves a significant issue.

magnetik commented 6 years ago

Shouldn't this an option from the command line in addition of the automatic guessing ?

I'm running a repo not tied to a specific distribution (as it only provide an executable), and I would like to provide the InRelease too.