aptly-dev
Supporting multiple keys for signing repositories
With the plan of transition keys with a repository I wondered if we can support this in aptly.
Detailed Description
Debian signs its repositories with multiple keys, using multiple generations of keys over each release.
It might be wise to support this in aptly. Mainly for changing keys without breaking users right away.
Sources:
- Multiple signatures with GnuPG
- Unfortunatly no documenation on this in RepositoryFormat of Debian
Context
- Security and GPG Key Exchange
- Best usability for users without forcing a hard change
Possible Implementation
While configuration would be easy (just setting multiple key IDs), it might be tricky to do with gnupg2.
I haven't done much testing yet, but had a look on the Debian repositories.
Unfortunately this is still a problem. We "naively" used the default 2-year lifetime for our signing key, instead of Debian's 8-year or Proxmox's 10-year, and now we are facing keyring migration issue.
Right now, we have to manually sign the Release file by passing -skip-signing to aptly publish repo, then run following commands:
GPG_PARAMETERS=(
"--yes"
"--armor"
"-u" "72AF2B5F7B24A8FFE4F41AC4E572249A33EB9743"
"-u" "EF181314AFE1834694A34CC65D93177D0752732A"
)
for i in "$HOME"/.aptly/public/*/dists/*/Release
do
DISTRO_PATH="$(dirname "$i")"
gpg "${GPG_PARAMETERS[@]}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
gpg "${GPG_PARAMETERS[@]}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
done
