Closed pdsouza closed 7 years ago
Created a separate signing key (fingerprint C8CC 4889 2A8D 0B59 F08B 40D8 0C37 4E74 2AE8 62B4
) for Maru available at https://maruos.com/static/gpg.txt.
The Maru APT archive has now switched to signed Release files.
Any Maru packages installed are now verified against the Maru signing key. See https://github.com/maruos/blueprints/commit/0b9be9efacfde17cf26b78e04018d9c88d5bbe0b for details.
I was dumb and forgot the password for the signing key so I generated a new one.
Fingerprint: DF4B 5D9A 28C1 A723 1191 D739 4F5E 5755 E35B 303B
Available as usual at https://maruos.com/static/gpg.txt
This new key update should be transparent to users.
The current Maru APT archive doesn't use a signed Release file so packages cannot be verified. We currently get around this with
--allow-unauthenticated
, but it would be best to use secure APT asap.To use secure APT, we need to create a signed Release.gpg file for the archive which contains hashes that apt-get will automatically check when installing a package. See docs for more info.