Use GnuPG in an automated environment?

Peter Michaux petermichaux at gmail.com
Tue Apr 8 06:45:20 CEST 2014 

Hi,

I am creating a Debian APT repository of system packages. I need to
sign the repository's Release file, creating detached signature file
Release.gpg, so that packages can be installed on another Debian
system with `apt-get install` without the complaint "WARNING: The
following packages cannot be authenticated!". I can manually create
the Release.gpg file which requires typing my GnuPG key's passphrase.

I want to automate/script the creation of all the repository's
generated files so that a cron job can generate them when the
repository's package list changes. This means that creating the
Release.gpg file cannot require my GnuPG key's passphrase. I have
actually succeeded at creating the Release.gpg file without needing my
GnuPG key's passphrase following a combination of the instructions
from the following.

 * http://www.gnupg.org/faq/gnupg-faq.html#automated_use

 * http://www.slpicare.org/unix/automating_signing_with_GPG.html

The process is complex enough that I have little confidence that I'm
doing everything correctly and/or securely. I'm experimenting and
trying to understand all the related commands better. I noticed
something that seems incorrect or at least suspicious and worth asking
about.

I can list all of the keys that I've created.

    peter at alpha.com:~$ gpg --homedir ~/.gnupg.insec --list-keys
    /home/peter/.gnupg.insec/pubring.gpg
    ------------------------------------
    pub   2048D/13FC9B38 2014-04-07
    uid                  Peter Michaux (My Comment) <petermichaux at gmail.com>
    sub   2048g/A2D0ED65 2014-04-07
    sub   2048D/215D17CD 2014-04-07

The first two keys, 13FC9B38 and A2D0ED65, were the ones created when
I originally used `gpg --gen-key`. I followed the tutorials about
using GnuGP in an automated environment to create the third key,
215D17CD, with no password.

To understand things better, I want to ensure that I can properly
select/control the key I want to use during signing with the
`--default-key` option to the `gpg` command line tool. This is where
things look suspicous to me.

    peter at alpha.com:~/drepo$ gpg --homedir ~/.gnupg.insec \
                                 --verbose \
                                 --detach-sign \
                                 --default-key 13FC9B38 \
                                 --output dists/stable/Release.gpg \
                                 dists/stable/Release
    gpg: using subkey 215D17CD instead of primary key 13FC9B38
    gpg: writing to `dists/stable/Release.gpg'
    gpg: using subkey 215D17CD instead of primary key 13FC9B38
    gpg: DSA/SHA256 signature from: "215D17CD Peter Michaux (Black
Iron Beast) <petermichaux at gmail.com>"

Why does gpg use the third key in the list when I've specifically
requested it use the first key in the list? (Yes, ultimately I want to
use the third key in the list but I want to know why gpg is defing my
wishes in the above command.)

Thanks.

Peter

More information about the Gnupg-users mailing list