2

I want to create an own repository for our application. I created a master key with signing subkey with pgp before and I sign the deb package with:

dpkg-sig --sign builder sample.deb

Then I create the repo with reprepro:

reprepro --ask-passphrase -b base includedeb all sample.deb

Reprepro creates the necessary signed files:

./conf:
distributions  options

./db:
checksums.db  contents.cache.db  packages.db  references.db  release.caches.db  version

./dists:
all

./dists/all:
InRelease  main  Release  Release.gpg

./dists/all/main:
binary-amd64  binary-i386

./dists/all/main/binary-amd64:
Packages  Packages.gz  Release

./dists/all/main/binary-i386:
Packages  Packages.gz  Release

./pool:
main

./pool/main:
s

./pool/main/s:
sample

./pool/main/s/sample:
sample_2.2.48.9015_all.deb

I install the public key on client machine but after installing package I receive this message:

WARNING: The following packages cannot be authenticated!
  sample
Install these packages without verification? [y/N]

Why?

crazyman
  • 121

1 Answers1

2

GPG signing is complicated. For APT repositories there are two layers of GPG signatures:

  1. Signatures on the packages themselves, with dpkg-sig or or debsign.
  2. Signatures on the repository metadata.

You are seeing that message because APT does not see any signature on your repository metadata. You can make this happen by adding SignWith to your reprepro config. You can read more in a comprehensive blog post I wrote, here.

You can verify that SignWith has worked by looking for a file named Release.gpg or InRelease. If you find a file named InRelease, view the contents of the file and ensure that a GPG signature is found at the bottom. If so, reprepro has generated the signature properly. Keep in mind that repositories that are GPG signed are still vulnerable to a large number of man-in-the-middle attacks unless they are served over HTTPS.

I would also recommend checking that the public GPG key has been correctly imported on the client system by running apt-key list. If you don't see the key on the list, you should add it with apt-key add filename.

It is important to note that Ubuntu and Debian do not verify GPG signatures of packages -- it is disabled by default and terribly, terribly difficult to get working. I would advise avoiding GPG signing your packages.

Also note that you should distribute your repository over HTTPS, to avoid a plethora of security bugs (even with GPG signatures).

Joe Damato
  • 492