diff options
| author | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2020-02-17 14:40:36 +0100 |
|---|---|---|
| committer | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2020-02-17 14:40:36 +0100 |
| commit | 6ba9c7900468a3346b621b17f28c166b0a2c04bd (patch) | |
| tree | a3c1e359ef48b239ca44a28cae055bd7f3e7fed8 | |
| parent | e54310ea2cecdcee37aeb0052468cc7368903990 (diff) | |
| parent | a0e9a78812283eeca832af2150a0d95ee37f5ebd (diff) | |
| download | pengutronix-archive-keyring-6ba9c7900468a3346b621b17f28c166b0a2c04bd.tar.gz pengutronix-archive-keyring-6ba9c7900468a3346b621b17f28c166b0a2c04bd.tar.xz | |
Merge branch 'ukl/docupdate' of git://git.pengutronix.de/debian/pengutronix-archive-keyring
| -rw-r--r-- | README.md | 44 |
1 files changed, 32 insertions, 12 deletions
@@ -17,13 +17,6 @@ $ gpg --batch --generate-key "$tmpfile" $ rm "$tmpfile" -If you need to copy the new key to another machine, the following works fine today: - - $ gpg --pinentry-mode loopback --export-secret-keys $gpgid > /tmp/$gpgid - $ scp /tmp/$gpgid $othermachine:/tmp - $ ssh othermachine - othermachine$ gpg-agent - othermachine$ gpg --import < /tmp/$gpgid ### put new key in pengutronix-archive-keyring @@ -48,7 +41,7 @@ Optionally drop old keys by just deleting them. $ oldyear=$(($year - 2)) $ if test -f pengutronix-archive-keyring-$oldyear.gpg; then - oldgpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($oldyear)" | awk -F: '$1 == "pub" { print $5 }') + oldgpgid=$(gpg --no-default-keyring --keyring ./pengutronix-archive-keyring-$oldyear.gpg --list-key --with-colons "Pengutronix Archive Signing Key ($oldyear)" | awk -F: '$1 == "pub" { print $5 }') git rm pengutronix-archive-keyring-$oldyear.gpg dch -v $pkgversion "drop old key $oldgpgid for $oldyear" git add debian/changelog @@ -70,12 +63,39 @@ which isn't supported by Wheezy's dpkg. Building in a Stretch chroot works fine. $ git tag -s -m "pengutronix-archive-keyring $pkgversion" "$pkgversion" $ git push origin "$pkgversion" HEAD -### update repository +### update repositories + +#### Copy key to archive user + + $ year="$(date +%Y)" + $ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }') + $ gpg --pinentry-mode loopback --export-secret-keys -a $gpgid > /tmp/$gpgid + $ scp /tmp/$gpgid $archivehost:/tmp + $ ssh user@$archivehost + archivehost$ gpg-agent + archivehost$ gpg --import < /tmp/$gpgid + +#### Put package in the archive + +Put the package into unstable: + + $ pkgversion="$(date +%Y.%m.%d)" + $ dcmd scp pengutronix-archive-keyring_${pkgversion}_$(dpkg-architecture -q DEB_HOST_ARCH).changes $archivehost:public/incoming + +and then copy it from unstable to all other distributions (on the archive host as the archive user with `cwd=~/public`): - $ sed -i "s/^SignWith:.*/& $gpgid/" conf/distributions - $ reprepro --export=never include sid /path/to/pengutronix-archive-keyring_${pkgversion}_amd64.changes $ for dist in $(sed -n 's/^Suite: //p' conf/distributions | grep -v unstable); do reprepro --export=never copy $dist sid pengutronix-archive-keyring; done - $ reprepro export + +#### Let reprepro use the new key + +Execute on the archive host as archive user: + + $ year="$(date +%Y)" + $ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }') + $ for repo in *; do sed -i "s/^SignWith:.*/& $gpgid/" $repo/conf/distributions; reprepro -b "$repo" export; done + +#### Publish new key on debian.pengutronix.de + $ gpg --export $gpgid > /home/publish/sites/debian.pengutronix.de/DocumentRoot/debian/ptx-archive-key.gpg $ touch /home/publish/sites/__sync__/debian.pengutronix.de |