Comments (10)
You have to sign your packages
http://blog.jonliv.es/blog/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/
from deb-s3.
Thanks, I will check it out
from deb-s3.
The article discusses signing the repo as well as the packages, and references files that don't exist in repos made with deb-s3
. Is it necessary or even possible to sign repos made with deb-s3
? How much of the cited article is relevant, and if those instructions are followed will other warnings appear? For example, when signing a package that was previously uploaded to S3, what is the procedure to update the package? Can the signed .deb
be copied over the unsigned .deb
, or will that break things? Is there a command to do this?
from deb-s3.
@mslinn Sorry I hadn't seen this issue when it was first filed!
The article @kedare links to is close to what you'd want. It isn't generally necessary to sign packages, or packages and the repository. I typically just sign the repository. The repository manifest contains the URLs to all the packages, the checksums, as well as the size. This effectively validates all the packages referenced in one, since the host will validate the checksums when downloading.
To have the package repository be signed, simply add the --sign
argument when running deb-s3 upload
. This will upload the package, add it to the repository manifest, and then sign the manifest. If you have a specific key you want to sign with, then use --sign=KEYID
and it will use that specific key.
Then as the article mentions, you can use apt-key
on the individual machines to add your key to the local trusted keyring.
from deb-s3.
I have uploaded a few unsigned packages. I don't have updates yet. How do set things right?
from deb-s3.
If you do deb-s3 verify --sign
it should force an update with it signed.
from deb-s3.
It would be helpful to add more detail to README.md
about the verify --sign
command / option combination. Currently it just says:
Usage:
deb-s3 verify
Options:
-f, [--fix-manifests] # Whether to fix problems in manifests when verifying.
[--sign=SIGN] # Sign the Release file. Use --sign with your key ID to use a specific key.
A brief mention about the requirement for a GPG Key would also be helpful, with a link to a brief and to-the-point external reference. Even better, also add a typical incantation to create and deploy a GPG key. For example, reading the link provided earlier (which is out of date because gpg
has changed its behavior in the 4 years since the article was written) I extrapolated:
$ gpg --gen-key gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Clark Kent Email address: [email protected] Comment: You selected this USER-ID: "Clark Kent <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. gpg: gpg-agent is not available in this session You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 188 more bytes) # time goes by
I have no idea what the email address munging does. The reference does not properly explain this.
$ gpg --armor --export [email protected] \ --output [email protected] > ~/.gnupg/superman.pem.gpg
Now the deb-s3
docs refer to a key ID
. Where do I find that?
from deb-s3.
Please don't close this issue. I would very much like to run deb-s3 verify --sign
but I still don't know how!
from deb-s3.
I am not going to extend the dialog to document how to use GPG, especially since Googling it is so easy and will yield vastly superior docs.
From the looks of your output, it seems your gpg --gen-key
might have failed. Especially from the last paragraph. There are some good GPG cheat sheets out there to show some useful commands.
GPG key IDs are a string that is generated to identify your key. Believe it is a SHA1. If you do a gpg --list-keys
, it will show the short version of the key ID. You'll likely see rsa2048/XYZ
, where XYZ
is the shortened version of the key ID.
from deb-s3.
For posterity, this is what I did:
$ gpg --list-keys
/home/mslinn/.gnupg/pubring.gpg
-------------------------------
pub 2048R/AB12CD34 2015-12-19
uid Michael Slinn <[email protected]>
sub 2048R/9D4B4321 2015-12-19
$ deb-s3 verify --sign AB12CD34 --bucket mslinn-ppa
>> Retrieving existing manifests
>> Checking for missing packages in: stable/main amd64
>> Removing 0 package(s) from the manifest...
-- Transferring dists/stable/main/binary-amd64/Packages
-- Transferring dists/stable/main/binary-amd64/Packages.gz
-- Transferring dists/stable/Release
/var/lib/gems/2.1.0/gems/deb-s3-0.7.1/lib/deb/s3/release.rb:106: warning: Insecure world writable dir /usr/local/bin in PATH, mode 040777
-- Transferring dists/stable/Release.gpg
>> Update complete.
>> Checking for missing packages in: stable/main i386
>> Removing 0 package(s) from the manifest...
-- Transferring dists/stable/main/binary-i386/Packages
-- Transferring dists/stable/main/binary-i386/Packages.gz
-- Transferring dists/stable/Release
-- Transferring dists/stable/Release.gpg
>> Update complete.
from deb-s3.
Related Issues (20)
- 0.9.1 removed the --use-ssl flag
- does not match the server certificate
- How to use gpg2? HOT 1
- gpg: cannot open tty `/dev/tty' HOT 1
- Signing package HOT 1
- weak digest algorithm HOT 1
- --fail-if-exists has no effect HOT 5
- InRelease should be generated by default HOT 4
- Prune orphaned packages from s3
- Method missing `public_url` in #<Seahorse::Client::Response> with --fail-if-exists HOT 1
- error in deb-s3 show: wrong number of arguments
- error in deb-s3 verify HOT 2
- S3-backed configuration configuration file?
- Re-genning `deb-s3` binary
- The authorization header is malformed; the Credential is mal-formed; expecting "<YOUR-AKID>/YYYYMMDD/REGION/SERVICE/aws4_request". HOT 2
- Can't upload packages built with Ubuntu Bionic HOT 3
- create signed repo
- Security: deb-s3 incorporates existing release/manifests without verifying signatures HOT 2
- Maintainers: This is not the repo you're looking for! HOT 3
- Add link to the active fork & transfer gem ownership? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deb-s3.