Will gpg 1.x remain supported for the foreseeable future?

Dan Kegel dank at kegel.com
Thu Jan 18 00:09:45 CET 2018


On Tue, Jan 16, 2018 at 8:31 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On Tue 2018-01-16 20:10:38 -0800, Dan Kegel wrote:
> > When I try to use gpg to manipulate secure apt repositories in the
> > real world, my head explodes.
>
> hi there!  what kind of manipulation are you doing of secure apt
> repositories with gpg?
>
> are you talking about signing the repo as an author? or about
> configuring for a client? or distributing public keys for the repo?  or
> about verifying signatures as a client?

Yes to all four questions.  Here's the user story.
- I maintain a secure apt repository at pkgs.foobar.com following best
practices in
https://wiki.debian.org/DebianRepository/UseThirdParty
- the key that signs my repository is trusted by debian developers
in the pgp web of trust
- To my users, I send via a trusted offline mechanism a copy of
a package foobar-archive.deb
- When they install that package, it installs the files
/usr/share/keyrings/foobar-archive.gpg,
and /etc/apt/sources.list.d/foobar-archive.list
- The latter file's entries say signed-by=/usr/share/keyrings/foobar-archive.gpg
- The package depends on debian-archive-keyring (to leverage
the web of trust as suggested in 'man secure-apt')
- My users are happy that simply installing one package
establishes trust and lets them apt-get from my repo
with no pesky errors from ubuntu 17.10 about
my server having an invalid or untrusted signature
- Updates to foobar-archive are delivered via secure apt.

So much magic.  It took me a while to figure that path out, and
I'm still not quite sure I've got it right, still working on getting
my regression tests to pass.  There don't seem to be a wealth
of accurate examples that are both kosher and up to date.

Most of my angst comes from having to come up two learning
curves simultaneously with tools that are used by fairly small
communities and thus have some rough edges still
(debian packaging and gpg commandline tools), and have lots
of stale stories out on the web about how to work around
problems that no longer exist.
I also have to support a range of versions of gpg, can't insist
on the latest.  Happily, in preparation for supporting Ubuntu 17.10,
I verified that I can drop support for versions of gpg and apt
older than the ones in Ubuntu 16.04.

While my foobar-archive.deb may seem superficially similar to
debian-archive-keyring.deb, the latter does things
in its postinstall step that establish trust at the system
level in a way that doesn't seem like a good example for
third party apt repositories to use as an example.

That package is not to be confused with the similarly
named debian-keyring package, which is completely
kosher and just installs key(ring)s into /usr/share/keyrings,
but does not of itself establish trust.
- Dan



More information about the Gnupg-users mailing list