How to sign a remote repository, i.e. forward agent

Daniel Kahn Gillmor dkg at
Wed Jun 30 19:06:58 CEST 2010

On 06/29/2010 03:40 PM, Carsten Aulbert wrote:
> My problem is relatively simple. We provide a (Debian) repository for our 
> colleagues as well as ourselves and would like to sign it 

 [ ... ]

> Anyone with an idea how to accomplish this?

I maintain several signed apt repositories.  I never forward an agent to
maintain them, and my secret key never leaves my trusted physical
console. My workflow is:

 * do reprepro work against my local copy of the repo (including signing
the relevant indexes)
 * rsync -avz --delete dists pool owner at remote.test:/path/to/archive/

that is, i transfer already-signed files (the relevant ones, namely the
contents of dist/ and pool/) via rsync to the remote host that provides
public downloads.

Does this workflow work for you?  if not, why not?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100630/8a197aed/attachment.pgp>

More information about the Gnupg-users mailing list