[clug] Re-signing Debian Packages (answer)

jm jeffm at ghostgun.com
Mon Jan 16 21:39:39 UTC 2023 

Replying to myself to make this easier to find. These are the rough 
steps which appear to have solved the problem of having the Debian repo 
signed by an expired key. It's still yet to get extensive testing, but 
the initial tests shows this works.

1. Create a new Key

     $ gpg --gen-key

2. Export public key for use on devices (put secret/private key 
somewhere safe). This is the binary version of the key as I read in one 
of the links provided to me on this mailing list that apt doesn't 
support ascii armoured keys (may not be true for later versions).

     $ gpg  --export <key-id> > repo-public.gpg

3. Back up old signature file

     cp Release Release-orig
     cp Release.gpg Release.gpg-orig

4. Create a new signature file

     gpg --sign --armor --default-key <key-id> --detach-sign Release

5. Verify
     gpg --verify Release.asc

6. Concatenate onto existing signatures (or overwrite which is what I 
ended up doing)

     cat Release.asc >> Release.gpg

7. Copy public gpg key to device and place into /etc/apt/trusted.gpg.d/ 
and possibly adding a signed-by directive to /etc/apt/sources.list is 
felt necessary.

8. Test by doing some apt-get commands, eg,

     apt-get update

and, installing new packages.


Useful links

https://wiki.debian.org/SecureApt
https://stackoverflow.com/questions/73570418/w-key-is-stored-in-legacy-trusted-gpg-keyring-etc-apt-trusted-gpg-see-the-d
https://wiki.debian.org/DebianRepository/UseThirdParty
Any page that helps with gpg.

Thanks,

Jeff.



On 12/1/23 11:08, jm via linux wrote:
> I've run into a problem with a set of legacy systems which are very 
> much stuck on an old version of debian for which the GPG package key 
> has expired. It's possible to ignore the GPG key and have apt manage 
> the packages regardless, but I was wondering if anyone new of a better 
> way? The one that comes to mind is, would it be possible to resign the 
> packages with a new in-house key? if so, how would this be done and 
> what would be involved?
>
> And, to short circuit this suggestion, it's not possible to do a 
> distro upgrade.
>
> Jeff.
>
>
>

More information about the linux mailing list