summaryrefslogtreecommitdiff
path: root/website/archive-key.mdwn
blob: 6658469a5609407ca9008134fd24cdf15e45f7c0 (plain)

[[meta title="Monkeysphere archive signing key"]] [[toc ]]

Verifying the key

The Monkeysphere apt repository is signed by this key, so you can verify that the packages come from the right place and have not been tampered with.

This key is certified by several of the Monkeysphere developers, and should be able to be found from the public keyservers with:

$ gpg --recv-key EB8AF314
gpg: requesting key EB8AF314 from hkp server pool.sks-keyservers.net
gpg: key EB8AF314: public key "Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$

You should be able to verify the fingerprint like this:

$ gpg --list-key --fingerprint http://archive.monkeysphere.info/debian
pub   4096R/EB8AF314 2008-09-02 [expires: 2009-09-02]
      Key fingerprint = 2E8D D26C 53F1 197D DF40  3E61 18E6 67F1 EB8A F314
uid       [  full  ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
$ 

And you can also verify the fingerprints with:

$ gpg --list-sigs http://archive.monkeysphere.info/debian

If you believe that the repository has been tampered with, please let us know!

If you have properly verified this key, you can add it to your apt keyring for proper cryptographic verification of the archive and its packages by doing the following:

 $ sudo gpg -a --export EB8AF314 | apt-key add -
 OK
 $ aptitude update
 ...

The key itself

Management of the key

The archive signing key is currently under the control of Daniel Kahn Gillmor, though the task of being the archive maintainer may be taken over by a different developer in the future.

In the event of a new archive maintainer, the entire archive will be rebuilt from signed tags in the monkeysphere git repository, rather than trying to re-verify the entire old archive.

Maintaining the archive

To create a new archive including a single monkeysphere package from tag $TAG on architecture $ARCH, do:

git clone git://git.monkeysphere.info/monkeysphere
cd monkeysphere
git tag -v "$TAG"
git checkout "$TAG"
debuild -uc -us
cd repo
reprepro -C monkeysphere include experimental "../$TAG_$ARCH.changes"

When you get a binary package built from a separate architecture $NEWARCH that you want to include with the archive, do:

cd repo
reprepro -C monkeysphere includedeb experimental "../$TAG_$NEWARCH.deb"

To publish the archive, make sure you have access to archivemaster@george.riseup.net, and then do:

cd repo
./publish