2

I want to create an own repository for our application. I created a master key with signing subkey with pgp before and I sign the deb package with:

dpkg-sig --sign builder sample.deb

Then I create the repo with reprepro:

reprepro --ask-passphrase -b base includedeb all sample.deb

Reprepro creates the necessary signed files:

./conf:
distributions  options

./db:
checksums.db  contents.cache.db  packages.db  references.db  release.caches.db  version

./dists:
all

./dists/all:
InRelease  main  Release  Release.gpg

./dists/all/main:
binary-amd64  binary-i386

./dists/all/main/binary-amd64:
Packages  Packages.gz  Release

./dists/all/main/binary-i386:
Packages  Packages.gz  Release

./pool:
main

./pool/main:
s

./pool/main/s:
sample

./pool/main/s/sample:
sample_2.2.48.9015_all.deb

I install the public key on client machine but after installing package I receive this message:

WARNING: The following packages cannot be authenticated!
  sample
Install these packages without verification? [y/N]

Why?

crazyman
  • 121

1 Answers1

2

GPG signing is complicated. For APT repositories there are two layers of GPG signatures:

  1. Signatures on the packages themselves, with dpkg-sig or or debsign.
  2. Signatures on the repository metadata.

You are seeing that message because APT does not see any signature on your repository metadata. You can make this happen by adding SignWith to your reprepro config. You can read more in a comprehensive blog post I wrote, here.

You can verify that SignWith has worked by looking for a file named Release.gpg or InRelease. If you find a file named InRelease, view the contents of the file and ensure that a GPG signature is found at the bottom. If so, reprepro has generated the signature properly. Keep in mind that repositories that are GPG signed are still vulnerable to a large number of man-in-the-middle attacks unless they are served over HTTPS.

I would also recommend checking that the public GPG key has been correctly imported on the client system by running apt-key list. If you don't see the key on the list, you should add it with apt-key add filename.

It is important to note that Ubuntu and Debian do not verify GPG signatures of packages -- it is disabled by default and terribly, terribly difficult to get working. I would advise avoiding GPG signing your packages.

Also note that you should distribute your repository over HTTPS, to avoid a plethora of security bugs (even with GPG signatures).

Joe Damato
  • 492
  • I have SignWith tag in the distributions file, but no success. You advised "avoiding GPS signing", and then? How to avoid warning messages? – crazyman Dec 15 '16 at 09:42
  • I updated my answer, you should re-read it. You are signing packages with dpkg-sig -- package signatures are never verified, so you can stop doing that. The SignWith is enough -- you need to check if reprepro has generated a signature and if it has, you should check on the client machine that the key was properly imported. – Joe Damato Dec 15 '16 at 19:45
  • doubtful reegarding HTTPS, because HTTPS as a security measure is overrated. How can packages be compromised in transport, without invalidating the GPG signature? IMHO the most vulnerable part is the information about the Signing-Key-ID and then getting that Key. And last but not least: trusting a remote repostiory at all is the most critical decision a user makes, because packages from repositories can run scripts with root permission. The fact a repository is served via HTTPS does in no way protect against such an attack – Ichthyo Mar 19 '25 at 14:37