debarchiver and signed archives

A while back, Debian added signature verification to apt. One generates a Release file that contains MD5 and SHA-1 checksums of all of the individual Packages files, which in turn contain checksums of all of the individual packages, and then one signs the Release file. Of course, now that this has been added, apt-get and friends produce warnings and ask for confirmation when installing packages out of unsigned archives.

I use debarchiver to handle indexing for my personal Debian archive, so I wanted to add support to it to take care of all of this for me other than entering my GnuPG passphrase. So I took some time this morning and wrote and tested a patch to implement that. (And then messed up submitting it to an existing bug and accidentally created a new bug that I had to merge. Oh well.)

The annoying part is getting apt-ftparchive to generate the Release file properly, since my patch to make Release generation easier still hasn't been accepted into apt itself. Wow, there are a lot of apt bugs in the BTS.

Posted: 2005-08-20 16:35 — Why no comments?

Last spun 2022-02-06 from thread modified 2013-01-04