Ubuntu – Ubuntu doesn’t want to use signed deb repository

gnupgrepository

Let's go.
I have a local deb repository. It works fine. But every time when I update my software there is a warning "You are about to install software that can't be authenticated". I decided to sign my local repository.
My repo structure:

/var/www/deb/repo/deb/dists/stable/main/soft_1.0.0-0_amd64.deb
/var/www/deb/repo/deb/dists/stable/main/binary-amd64/Packages.gz

I created a gpg key and imported it on my repo server and on my ubuntu.
Also I created a Release file in each binary-amd64 and binary-i386. After that I calculated checksums and signed my repository.

apt-ftparchive release dists/stable/main/binary-amd64 >> dists/stable/main/binary-amd64/Release
gpg -abs -o dists/stable/main/binary-amd64/Release.gpg dists/stable/main/binary-amd64/Release

After signing I got new files in my repository

/var/www/deb/repo/deb/dists/stable/main/binary-amd64/Release
/var/www/deb/repo/deb/dists/stable/main/binary-amd64/Release.gpg

Release file:

Archive: stable
Suite: stable
Component: main
Origin: mySoft
Label: soft-deb-repo
Architecture amd64

Date: Tue, 08 May 2012 14:36:57 UTC
MD5Sum:
 4fd2fb417d39f3eb7e02c742817e3c35              464 Packages.gz
 f49b96b059c8df343c8903563cfd55f2              109 Release
SHA1:
 a2cf6872ae378f9239b5427d06258fb99cd2657f              464 Packages.gz
 c4476d3c036d5373855c2fd7dc61cd7882dd7546              109 Release
SHA256:
 229ffd0eaaf41591827b410fa329c98211fe33cdf658726645f6f25e09edce07              464 Packages.gz
 5b446e696c9bb94515d97f345bc96a231fa8bc9e9f213e6aa15e4431d2f2e160              109 Release

And Release.gpg:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iJwEAAECAAYFAk+pL5IACgkQ7SiVqDm0LdIIdAP/VNdCZc+y6ZBDR3NKUbYR5mmz
EE1hkKlKyumHBbYipgoEES5+iSAoq83Pr7TWH3/kCm19Z6DoMYdQd2tD10NdJxPo
CQ3QOEezPUbWzKUELujhpnL/ljUnbJBe5dv8/tHPlLizt2r5OmJct+GVUvWviFMY
pA7CS7wlLIhTNE3q/7I=
=lURJ
-----END PGP SIGNATURE-----

But problem won't disappear – when I check update by Package Manager it says that my software can't be authenticated. Aptitude says WARNING: untrusted version of the following packages will be installed. What do I do wrong?

Best Answer

  • I had to create an InRelease File to solve the authentication problem. I solved this by reading apt-secure in the manual pages. I also had to create a Packages file (unzipped) as well. Here are the two commands:

    gpg --clearsign -o InRelease Release
    gpg -abs -o Release.gpg Release
    

    My directory structure and files looks like this to help you better understand what I am doing.

    shift@shift-VirtualBox:~/shiftRepo$ ls -R
    .:
    dists  shiftCPEKey
    
    ./dists:
    stable
    
    ./dists/stable:
    main
    
    ./dists/stable/main:
    binary
    
    ./dists/stable/main/binary:
    CPEDataCollector_1.0+SNAPSHOT.deb  CPEQueueConsumer_1.0+SNAPSHOT.deb  Packages     Release
    CPEQueueBroker_1.0+SNAPSHOT.deb    InRelease                          Packages.gz  Release.gpg
    
  • Related Question