## Adding a new key ### generate a new key $ umask 077 $ tmpfile=$(mktemp) $ cat > "$tmpfile" << EOF Key-Type: RSA Key-Length: 4096 Key-Usage: sign Name-Real: Pengutronix Archive Signing Key Name-Comment: $(date +%Y) Name-Email: archive@pengutronix.de Expire-Date: $(date +%Y%m%dT000000 -d "April 14 next year") Passphrase: '' EOF $ gpg --batch --generate-key "$tmpfile" $ rm "$tmpfile" If you need to copy the new key to another machine, the following works fine today: $ gpg --pinentry-mode loopback --export-secret-keys $gpgid > /tmp/$gpgid $ scp /tmp/$gpgid $othermachine:/tmp $ ssh othermachine othermachine$ gpg-agent othermachine$ gpg --import < /tmp/$gpgid ### put new key in pengutronix-archive-keyring First verify you're working with the right repository and that your base hasn't been tampered with by verifying the last tag and review all commits since the last tag. Then do the following using your own email and name: $ DEBEMAIL=u.kleine-koenig@pengutronix.de $ DEBFULLNAME="Uwe Kleine-König" $ export DEBEMAIL DEBFULLNAME $ year="$(date +%Y)" $ pkgversion="$(date +%Y.%m.%d)" $ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }') $ gpg --export "$gpgid" > pengutronix-archive-keyring-$year.gpg $ dch -v $pkgversion "add new key $gpgid for $year" $ git add debian/changelog pengutronix-archive-keyring-$year.gpg $ git commit -m "add new key $gpgid for $year" Optionally drop old keys by just deleting them. $ oldyear=$(($year - 2)) $ if test -f pengutronix-archive-keyring-$oldyear.gpg; then oldgpgid=$(gpg --no-default-keyring --keyring ./pengutronix-archive-keyring-$oldyear.gpg --list-key --with-colons "Pengutronix Archive Signing Key ($oldyear)" | awk -F: '$1 == "pub" { print $5 }') git rm pengutronix-archive-keyring-$oldyear.gpg dch -v $pkgversion "drop old key $oldgpgid for $oldyear" git add debian/changelog git commit -m "drop old key $oldgpgid for $oldyear" fi ### build package $ dch --release --distribution unstable "" $ git commit -m "finalize changelog for upload" debian/changelog $ dpkg-buildpackage Pitfall: In January 2018 when building the package on sid the result was not installable on Wheezy and older because control.tar was compressed using xz which isn't supported by Wheezy's dpkg. Building in a Stretch chroot works fine. ### finalize git stuff $ git tag -s -m "pengutronix-archive-keyring $pkgversion" "$pkgversion" $ git push origin "$pkgversion" HEAD ### update repository $ sed -i "s/^SignWith:.*/& $gpgid/" conf/distributions $ reprepro --export=never include sid /path/to/pengutronix-archive-keyring_${pkgversion}_amd64.changes $ for dist in $(sed -n 's/^Suite: //p' conf/distributions | grep -v unstable); do reprepro --export=never copy $dist sid pengutronix-archive-keyring; done $ reprepro export $ gpg --export $gpgid > /home/publish/sites/debian.pengutronix.de/DocumentRoot/debian/ptx-archive-key.gpg $ touch /home/publish/sites/__sync__/debian.pengutronix.de ### reminder for next keyupdate Add a reminder for the next keyupdate into the todo calendar around January next year