[Pbuilder-maint] Bug#317998: your blog entry on secure pbuilder.
Enrico Zini
enrico at debian.org
Thu Jan 11 09:25:19 CET 2007
On Sat, May 27, 2006 at 05:45:43AM +0900, Junichi Uekawa wrote:
> > One simple solution would be not to pass the force options to apt if
> > /etc/apt/trusted.gpg exists. But this should still need to be disabled
> > in case I'm using an extra local source of packages I've built myself.
> Yes, that's an issue I'm most worried about.
> I was thinking of having some kind of
> deb-noauth http://XXXX/
> kind of apt-lines, in addition to normal deb lines, to signify that I
> don't want authentication because it's a local repos.
Hello. Yesterday I investigated on how to have a signed local repo and
it's actually quite simple:
#!/bin/sh
rm -f Release Release.gpg
dpkg-scanpackages . /dev/null > Packages
apt-ftparchive release . > Release
gpg -abs -o Release.gpg Release
So I suppose it could be doable to add a pbuilder configuration option
to tell apt to strictly enforce archive signatures, and then one can
simply sign the local archives and add his/her key to the apt
trusted.gpg:
gpg --export 797EBFAB -a | apt-key add
Ciao,
Enrico
--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico at debian.org>
More information about the Pbuilder-maint
mailing list