[[!meta title="Monkeysphere archive signing key"]]
[[toc ]]
Verifying the key
The Monkeysphere apt repository is signed by this key, so
you can verify that the packages
come from the right place and have not been tampered with.
This key is certified by several of the Monkeysphere developers, and
should be able to be found from the public keyservers with:
$ gpg --recv-key EB8AF314
gpg: requesting key EB8AF314 from hkp server pool.sks-keyservers.net
gpg: key EB8AF314: public key "Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$
You should be able to verify the fingerprint like this:
$ gpg --list-key --fingerprint http://archive.monkeysphere.info/debian
pub 4096R/EB8AF314 2008-09-02 [expires: 2009-09-02]
Key fingerprint = 2E8D D26C 53F1 197D DF40 3E61 18E6 67F1 EB8A F314
uid [ full ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
$
And you can also verify the fingerprints with:
$ gpg --list-sigs http://archive.monkeysphere.info/debian
If you believe that the repository has been tampered with, please let
us know!
If you have properly verified this key, you can add it to your apt
keyring for proper cryptographic verification of the archive and its
packages by doing the following:
$ gpg -a --export EB8AF314 | sudo apt-key add -
OK
$ aptitude update
...
The key itself
Management of the key
The archive signing key is currently under the control of Daniel Kahn
Gillmor, though the task of being
the archive maintainer may be taken over by a different developer in
the future.
In the event of a new archive maintainer, the entire archive will be
rebuilt from signed tags in the monkeysphere git
repository, rather than trying to re-verify the entire
old archive.
Maintaining the archive
To create a new archive including a single monkeysphere package from
tag $TAG
on architecture $ARCH
, do:
git clone git://git.monkeysphere.info/monkeysphere
cd monkeysphere
git tag -v "$TAG"
git checkout "$TAG"
debuild -uc -us
cd repo
reprepro -C monkeysphere include experimental "../$TAG_$ARCH.changes"
When you get a binary package built from a separate architecture
$NEWARCH
that you want to include with the archive, do:
cd repo
reprepro -C monkeysphere includedeb experimental "../$TAG_$NEWARCH.deb"
To publish the archive, make sure you have access to
archivemaster@george.riseup.net
, and then do:
cd repo
./publish