Signing an APT repo

The document on secure APT contains an excellent explanation of what secure APT actually is. One section is empty though–the one about setting up your own secure APT repo.

I have some circumstantial evidence that my local APT repo is secure. :-) apt-get update complained about packages being “unsecure” when I installed from it. Then I signed my Release file, and instead I was told that the key was missing. Then I used apt-key to add my GPG key and the complaint went away.

I use dput and mini-dinstall to manage my local repo. At some point I’m planning on synchronising it to another computer so that it’s available to others as well, but due to bandwidth problem I haven’t started doing this yet.

My ~/.dput.conf looks like this:

allow_unsigned_uploads = 0

fqdn = localhost
method = local
incoming = /usr/local/apt/mini-dinstall/incoming
post_upload_command = mini-dinstall --batch

As you can see my local repo lives in /usr/local/apt. Then the ~/.mini-dinstall.conf looks like this:

architectures = all, i386
archivedir = /usr/local/apt
use_dnotify = 0
verify_sigs = 1
extra_keyrings = ~/ms_home/secret/gnupg/pubring.gpg
mail_on_success = 0
archive_style = flat
poll_time = 40
mail_log_level = NONE
generate_release = 1
release_description = Magnus' Funky Packages
release_signscript = ~/bin/release_sign

Most of this should be obvious to anyone who’s read the manpage. The only interesting bit is the release_signscript at the end. Based on information in the manpage I wrote this little shell script:

#! /bin/sh

gpg --detach-sign --armor --output Release.gpg $1

Pretty straight forward really!

Leave a comment