secure apt

Since secure apt is finally being rolled out in Debian unstable, I've set up all my apt repositories to be signed. Actually, they were since 2003, sorta, but it wasn't documented. If you use the uqm.debian.net repository, or if you use one of my personal kitenet.net apt repositories, there is a key.gpg file in each. This file contains the public key used to sign these apt repositories, and so there's a trust path of sorts to it, I've also included a signature of that file using my well-known gpg key in the key.gpg.sig file.

That's a start. Maybe we will develop better or more standard / automated ways to distribute third-party archive keys as time goes on.

Note that I cannot just sign the archive key with my main gpg key, because this archive key does not meet the minimum standards I require to sign anyone's key. The private key is stored on a server, and has no passphrase. It can really only ensure that info in the apt repo is not altered before it gets you you; it does not protect against compromise of the server.

It would be possible to make the key more secure and better trusted, or even use my well trusted key, but that would involve much more inconvenience and work each time I update my repository. I settled on this as a compromise, and it's implemented with this in my .mini-dinstall.conf:

release_signscript = ~/bin/sign-release-file

And this sign-release-file script:

#!/bin/sh
set -e

KEYID=joey+archive@kitenet.net

rm -f Release.gpg.tmp
echo | /usr/bin/gpg -a --no-tty --passphrase-fd=0 --batch \
    --default-key "$KEYID"  --detach-sign -o Release.gpg.tmp "$1"
mv Release.gpg.tmp Release.gpg
exit 0

This too could stand to be easier to set up now that every Debian user and their dog will soon be needing to do it.