[buug] debian package signing

Ian Zimmerman itz at madbat.mine.nu
Sat Jul 28 14:51:07 PDT 2007


Hi, I have several personal debs that I keep on a server and include in
my apt sources (using a line like

deb ssh://foo.bar.com /var/local/debian/

in my sources.list file).  However, each time I update one of them and
proceed to install the update with aptitude, I get the big fat red
warning "untrusted versions of the packages will be installed".  This
happens despite the following facts:

1/ when I build the package, I use "dpkg-buildpackage -k0123ABCD"
to include a gpg signature

2/ I have added the key 0123ABCD to my apt trusted keys using
"apt-key add"

3/ this URL seems to indicate that the current dpkg supports per-package
signatures

http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign

(you have to scroll down to subsection 7.4.5 to see what I am talking about)

So, can I avoid this nuisance other than setting up a full mirror-like
archive with Release files and all?

-- 
This line is completely ham.



More information about the buug mailing list