Is it possible to use the public-gpg-key import feature of apt-add-repository with my own reprepro repository? Is there e.g. something like a default key server where apt-add-repository expects to find the keys or a path within the (http) repository where it will look for it?
Asked
Active
Viewed 6,681 times
2 Answers
1
If you are asking about whether add-apt-repository will work with your own repo that you host yourself rather than on Launchpad, the answer is "No", and with good reason.
The add-apt-repository tool provides a cryptographically strong trust relationship to valid Launchpad PPAs. What it can't guarantee is that you should trust the Launchpad users who have upload access to a given PPA, but it still provides a good audit trail and a guarantee that packages at least come from the claimed PPA.
If what you were asking for was possible, it would have no trust guarantee at all and would be more or less equivalent to Windows users downloading random things from random websites at random moments in time.
Is there a good reason why you need to use your own repo, why you can't use a PPA?
1
Both apt-add-repository and add-apt-repository have a -k option you can use to specify your own public keyring repository. apt-key can add the fingerprint of the key you control and trust. Of course you can simply add a public key to the keyserver.ubuntu.com or other keyserver rather than using your own keyserver, but apt still must be told they key fingerprints. See Saji89's helpful answer about apt-key at https://askubuntu.com/a/217529/63886 (and vote it up if it proves useful to you).
You can also use medibuntu's approach as automation if many computers are involved. Here's how medibuntu.org does it:
sudo -E wget --output-document=/etc/apt/sources.list.d/medibuntu.list http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list && sudo apt-get --quiet update && sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring && sudo apt-get --quiet update `
That is followed up by installing a couple more packages once the repo has been added.
As explanation:
sudo -E wget --output-document=/etc/apt/sources.list.d/medibuntu.list http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list`
adds the repo itself to your configuration.
sudo apt-get --quiet update
Updates the apt-get information from the new (and all other repos).
sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring
Installs the public key for the repository. The --allow-unauthenticated is how you avoid the chicken and egg problem.
sudo apt-get --quiet update
Updates apt again.
Then application data and debugging hooks packages are added for their applications.
You can browse their repo http://packages.medibuntu.org/ to see how their packages do the job.
John S Gruber
- 13,436