Install these packages without verification [y/N] about deb-s3 HOT 10 CLOSED

You have to sign your packages

http://blog.jonliv.es/blog/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/

from deb-s3.

Thanks, I will check it out

from deb-s3.

The article discusses signing the repo as well as the packages, and references files that don't exist in repos made with deb-s3. Is it necessary or even possible to sign repos made with deb-s3? How much of the cited article is relevant, and if those instructions are followed will other warnings appear? For example, when signing a package that was previously uploaded to S3, what is the procedure to update the package? Can the signed .deb be copied over the unsigned .deb, or will that break things? Is there a command to do this?

from deb-s3.

@mslinn Sorry I hadn't seen this issue when it was first filed!

The article @kedare links to is close to what you'd want. It isn't generally necessary to sign packages, or packages and the repository. I typically just sign the repository. The repository manifest contains the URLs to all the packages, the checksums, as well as the size. This effectively validates all the packages referenced in one, since the host will validate the checksums when downloading.

To have the package repository be signed, simply add the --sign argument when running deb-s3 upload. This will upload the package, add it to the repository manifest, and then sign the manifest. If you have a specific key you want to sign with, then use --sign=KEYID and it will use that specific key.

Then as the article mentions, you can use apt-key on the individual machines to add your key to the local trusted keyring.

from deb-s3.

I have uploaded a few unsigned packages. I don't have updates yet. How do set things right?

from deb-s3.

If you do deb-s3 verify --sign it should force an update with it signed.

from deb-s3.

It would be helpful to add more detail to README.md about the verify --sign command / option combination. Currently it just says:

Usage:
  deb-s3 verify

Options:
  -f, [--fix-manifests]                 # Whether to fix problems in manifests when verifying.
      [--sign=SIGN]                     # Sign the Release file. Use --sign with your key ID to use a specific key.

A brief mention about the requirement for a GPG Key would also be helpful, with a link to a brief and to-the-point external reference. Even better, also add a typical incantation to create and deploy a GPG key. For example, reading the link provided earlier (which is out of date because gpg has changed its behavior in the 4 years since the article was written) I extrapolated:

$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
Real name: Clark Kent
Email address: [email protected]
Comment:
You selected this USER-ID:
    "Clark Kent <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 188 more bytes)
# time goes by

I have no idea what the email address munging does. The reference does not properly explain this.

$ gpg --armor --export [email protected] \
  --output [email protected] > ~/.gnupg/superman.pem.gpg

Now the deb-s3 docs refer to a key ID. Where do I find that?

from deb-s3.

Please don't close this issue. I would very much like to run deb-s3 verify --sign but I still don't know how!

from deb-s3.

I am not going to extend the dialog to document how to use GPG, especially since Googling it is so easy and will yield vastly superior docs.

From the looks of your output, it seems your gpg --gen-key might have failed. Especially from the last paragraph. There are some good GPG cheat sheets out there to show some useful commands.

GPG key IDs are a string that is generated to identify your key. Believe it is a SHA1. If you do a gpg --list-keys, it will show the short version of the key ID. You'll likely see rsa2048/XYZ, where XYZ is the shortened version of the key ID.

from deb-s3.

For posterity, this is what I did:

$ gpg --list-keys
/home/mslinn/.gnupg/pubring.gpg
-------------------------------
pub   2048R/AB12CD34 2015-12-19
uid                  Michael Slinn <[email protected]>
sub   2048R/9D4B4321 2015-12-19

$ deb-s3 verify --sign AB12CD34 --bucket mslinn-ppa
>> Retrieving existing manifests
>> Checking for missing packages in: stable/main amd64
>> Removing 0 package(s) from the manifest...
   -- Transferring dists/stable/main/binary-amd64/Packages
   -- Transferring dists/stable/main/binary-amd64/Packages.gz
   -- Transferring dists/stable/Release
/var/lib/gems/2.1.0/gems/deb-s3-0.7.1/lib/deb/s3/release.rb:106: warning: Insecure world writable dir /usr/local/bin in PATH, mode 040777
   -- Transferring dists/stable/Release.gpg
>> Update complete.
>> Checking for missing packages in: stable/main i386
>> Removing 0 package(s) from the manifest...
   -- Transferring dists/stable/main/binary-i386/Packages
   -- Transferring dists/stable/main/binary-i386/Packages.gz
   -- Transferring dists/stable/Release
   -- Transferring dists/stable/Release.gpg
>> Update complete.

from deb-s3.