diff options
| author | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2020-02-12 13:00:57 +0100 |
|---|---|---|
| committer | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2020-02-17 14:00:21 +0100 |
| commit | a0e9a78812283eeca832af2150a0d95ee37f5ebd (patch) | |
| tree | 6ada99770d64dac9a8534ec43630e3ef30187dd3 | |
| parent | 9cb823f4894479454a275b247511dd350e8ef1ca (diff) | |
| download | pengutronix-archive-keyring-a0e9a78812283eeca832af2150a0d95ee37f5ebd.tar.gz pengutronix-archive-keyring-a0e9a78812283eeca832af2150a0d95ee37f5ebd.tar.xz | |
README: Update the description how to populate the new key
| -rw-r--r-- | README.md | 42 |
1 files changed, 31 insertions, 11 deletions
@@ -17,13 +17,6 @@ $ gpg --batch --generate-key "$tmpfile" $ rm "$tmpfile" -If you need to copy the new key to another machine, the following works fine today: - - $ gpg --pinentry-mode loopback --export-secret-keys $gpgid > /tmp/$gpgid - $ scp /tmp/$gpgid $othermachine:/tmp - $ ssh othermachine - othermachine$ gpg-agent - othermachine$ gpg --import < /tmp/$gpgid ### put new key in pengutronix-archive-keyring @@ -70,12 +63,39 @@ which isn't supported by Wheezy's dpkg. Building in a Stretch chroot works fine. $ git tag -s -m "pengutronix-archive-keyring $pkgversion" "$pkgversion" $ git push origin "$pkgversion" HEAD -### update repository +### update repositories + +#### Copy key to archive user + + $ year="$(date +%Y)" + $ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }') + $ gpg --pinentry-mode loopback --export-secret-keys -a $gpgid > /tmp/$gpgid + $ scp /tmp/$gpgid $archivehost:/tmp + $ ssh user@$archivehost + archivehost$ gpg-agent + archivehost$ gpg --import < /tmp/$gpgid + +#### Put package in the archive + +Put the package into unstable: + + $ pkgversion="$(date +%Y.%m.%d)" + $ dcmd scp pengutronix-archive-keyring_${pkgversion}_$(dpkg-architecture -q DEB_HOST_ARCH).changes $archivehost:public/incoming + +and then copy it from unstable to all other distributions (on the archive host as the archive user with `cwd=~/public`): - $ sed -i "s/^SignWith:.*/& $gpgid/" conf/distributions - $ reprepro --export=never include sid /path/to/pengutronix-archive-keyring_${pkgversion}_amd64.changes $ for dist in $(sed -n 's/^Suite: //p' conf/distributions | grep -v unstable); do reprepro --export=never copy $dist sid pengutronix-archive-keyring; done - $ reprepro export + +#### Let reprepro use the new key + +Execute on the archive host as archive user: + + $ year="$(date +%Y)" + $ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }') + $ for repo in *; do sed -i "s/^SignWith:.*/& $gpgid/" $repo/conf/distributions; reprepro -b "$repo" export; done + +#### Publish new key on debian.pengutronix.de + $ gpg --export $gpgid > /home/publish/sites/debian.pengutronix.de/DocumentRoot/debian/ptx-archive-key.gpg $ touch /home/publish/sites/__sync__/debian.pengutronix.de |