[clug] Re-signing Debian Packages (answer)
jm
jeffm at ghostgun.com
Mon Jan 16 21:39:39 UTC 2023
Replying to myself to make this easier to find. These are the rough
steps which appear to have solved the problem of having the Debian repo
signed by an expired key. It's still yet to get extensive testing, but
the initial tests shows this works.
1. Create a new Key
$ gpg --gen-key
2. Export public key for use on devices (put secret/private key
somewhere safe). This is the binary version of the key as I read in one
of the links provided to me on this mailing list that apt doesn't
support ascii armoured keys (may not be true for later versions).
$ gpg --export <key-id> > repo-public.gpg
3. Back up old signature file
cp Release Release-orig
cp Release.gpg Release.gpg-orig
4. Create a new signature file
gpg --sign --armor --default-key <key-id> --detach-sign Release
5. Verify
gpg --verify Release.asc
6. Concatenate onto existing signatures (or overwrite which is what I
ended up doing)
cat Release.asc >> Release.gpg
7. Copy public gpg key to device and place into /etc/apt/trusted.gpg.d/
and possibly adding a signed-by directive to /etc/apt/sources.list is
felt necessary.
8. Test by doing some apt-get commands, eg,
apt-get update
and, installing new packages.
Useful links
https://wiki.debian.org/SecureApt
https://stackoverflow.com/questions/73570418/w-key-is-stored-in-legacy-trusted-gpg-keyring-etc-apt-trusted-gpg-see-the-d
https://wiki.debian.org/DebianRepository/UseThirdParty
Any page that helps with gpg.
Thanks,
Jeff.
On 12/1/23 11:08, jm via linux wrote:
> I've run into a problem with a set of legacy systems which are very
> much stuck on an old version of debian for which the GPG package key
> has expired. It's possible to ignore the GPG key and have apt manage
> the packages regardless, but I was wondering if anyone new of a better
> way? The one that comes to mind is, would it be possible to resign the
> packages with a new in-house key? if so, how would this be done and
> what would be involved?
>
> And, to short circuit this suggestion, it's not possible to do a
> distro upgrade.
>
> Jeff.
>
>
>
More information about the linux
mailing list