Secure Apt and the Emdebian Archive

Apt has supported GnuPG signatures on repository Release files for some time and Emdebian includes this support via the Emdebian Archive Signing Key.

$ gpg --fingerprint 0x97BB3B58
pub   1024D/97BB3B58 2007-04-30
      Key fingerprint = 3EC0 AFB9 4A84 5900 282E  7A55 B5B7 7200 97BB 3B58
uid                  Emdebian Archive Signing Key
sub   2048g/FEFD537E 2007-04-30

Stable releases are also signed by other relevant Debian keys, including 0x28BCB3E3, in order to make it simpler to use Debian Installer and other Debian tools.

$ gpg --fingerprint 0x28BCB3E3
pub   1024D/28BCB3E3 2002-01-27
      Key fingerprint = 4CD4 6644 C105 48ED CA28  EC36 8801 094A 28BC B3E3
uid                  Neil Williams (Debian)
uid                  Neil Williams (CodeHelp)
uid                  N Williams (CodeHelp)
uid                  Neil Williams (general)
uid                  Neil Williams (Linux User Group)
uid                  Neil Williams (Devon and Cornwall LUG)
sub   1024g/AD3CB326 2002-01-27

The Emdebian Archive Signing key is included in the emdebian-archive-keyring package and configured for you during package installation. (0x28BCB3E3 is to be added in version 1.5.1 of emdebian-archive-keyring. Other Debian keys are provided by the debian-archive-keyring package which is part of a standard Emdebian installation.)

$ sudo apt-get install emdebian-archive-keyring

Alternatively, you can configure the keys yourself using the instructions below.

$ gpg --recv-key 0x97BB3B58 0x28BCB3E3
$ gpg --fingerprint 0x97BB3B58 0x28BCB3E3

You can also download the Emdebian Archive Signing key direct from this server.

Verify the fingerprint of your copy of the keys against the fingerprints above and then check the signatures on the key:

$ gpg --recv-key 0x28BCB3E3 0x174FEE35 0xA897FD02
$ gpg --check-sigs 0x97BB3B58

If all checks out, add 0x97BB3B58 and 0x28BCB3E3 to apt:

$ gpg -a --export 0x97BB3B58 0x28BCB3E3 > emdebian.key
$ sudo apt-key add emdebian.key
$ sudo apt-get update

The main advantage of importing the Emdebian key into apt-key is that packages from Emdebian can then be upgraded automatically without halting for confirmation due to otherwise unverifiable packages. The key authenticates the repository to apt and is used to ensure that the Release file in the repository is genuine.

Implementing and using Secure Apt in reprepro

The secret key for the GnuPG key specified with SignWith: needs to be in the secret keyring of each user performing repository updates.

To verify the release files of repositories using Secure Apt from the update rules of a reprepro repository, copy /etc/apt/trusted.gpg to ~/.gnupg/trustedkeys.gpg for all users who need to run updates. To add keys to the list available for gpgv use:

 gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import keys.gpg

More information on Secure Apt.

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
uid                  Debian Archive Automatic Signing Key (4.0/etch)

pub   1024D/ADB11277 2006-09-17
uid                  Etch Stable Release Key

pub   1024D/BBE55AB3 2007-03-31 [expires: 2010-03-30]
uid                  Debian-Volatile Archive Automatic Signing Key (4.0/etch)
sub   2048g/36CA98F3 2007-03-31 [expires: 2010-03-30]

pub   1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
uid                  Lenny Stable Release Key

pub   1024D/97BB3B58 2007-04-30
uid                  Emdebian Archive Signing Key
sub   2048g/FEFD537E 2007-04-30

pub   1024D/28BCB3E3 2002-01-27
uid                  Neil Williams (Debian)
uid                  N Williams (CodeHelp)
uid                  Neil Williams (general)
uid                  Neil Williams (CodeHelp)
uid                  Neil Williams (Linux User Group)
uid                  Neil Williams (Devon and Cornwall LUG)
sub   1024g/AD3CB326 2002-01-27