6.42 Signing a Local Repository
There may be key issues with a locally managed archive that is not
signed. Even though the AVAIL command will identify that the local
archive has preference when it comes to obtaining a package that is
available from multiple archives, an authorised archive will always be
used in preference. Two solutions are possible. One is to tell
wajig not to preference authoritative archives by using
$ wajig --noauth distupgrade
The other option is to sign your Release files. Using
wajig’s MOVE command requires some setting up to have the
Release.gpg file created. First, tell
apt-move to create the file (and also to maintain both
compressed and uncompressed Package files - a requirement of the
current apt version) in the configuration file
PKGCOMP='none gzip' SIGNINGKEY=Kayon.Toga@togaware.com
$ gpg --export-secret-keys --no-comment Kayon.Toga@togaware.com > ktskexp
Then add this to root’s keys:
# gpg --import ktskexp
# gpg --edit Kayon.Toga@togaware.com Command> passwd
So now apt-move can sign the Release file unattended.
Further explanation is available from http://wiki.debian.org/SecureApt.
Your donation will support ongoing development and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2021 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0.