blob: 30435569cbfc88cd96b838f56b89c606ae0fd0e9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
## Adding a new key
### generate a new key
$ umask 077
$ tmpfile=$(mktemp)
$ cat > "$tmpfile" << EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: Pengutronix Archive Signing Key
Name-Comment: $(date +%Y)
Name-Email: archive@pengutronix.de
Expire-Date: $(date +%Y%m%dT000000 -d "April 14 next year")
EOF
$ gpg --batch --passphrase '' --pinentry-mode loopback --generate-key "$tmpfile"
$ rm "$tmpfile"
TODO: Learn how the non-interactive use of reprepro can be teached to
work in the presence of a passphrase.
### put new key in pengutronix-archive-keyring
First verify you're working with the right repository and that your base hasn't
been tampered with by verifying the last tag and review all commits since the
last tag.
Then do the following using your own email and name:
$ DEBEMAIL=u.kleine-koenig@pengutronix.de
$ DEBFULLNAME="Uwe Kleine-König"
$ export DEBEMAIL DEBFULLNAME
$ year="$(date +%Y)"
$ pkgversion="$(date +%Y.%m.%d)"
$ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }')
$ gpg --export "$gpgid" > pengutronix-archive-keyring-$year.gpg
$ dch -v $pkgversion "add new key $gpgid for $year"
$ git add debian/changelog pengutronix-archive-keyring-$year.gpg
$ git commit -m "Add new key $gpgid for $year"
Optionally drop old keys by just deleting them.
$ oldyear=$(($year - 2))
$ if test -f pengutronix-archive-keyring-$oldyear.gpg; then
oldgpgid=$(gpg --no-default-keyring --keyring ./pengutronix-archive-keyring-$oldyear.gpg --list-key --with-colons "Pengutronix Archive Signing Key ($oldyear)" | awk -F: '$1 == "pub" { print $5 }')
git rm pengutronix-archive-keyring-$oldyear.gpg
dch -v $pkgversion "drop old key $oldgpgid for $oldyear"
git add debian/changelog
git commit -m "Drop old key $oldgpgid for $oldyear"
fi
### build package
$ dch --release --distribution unstable ""
$ git commit -m "Finalize changelog for upload of $pkgversion" debian/changelog
$ dpkg-buildpackage -F -us -uc
Instead of dpkg-buildpackage the package can be build in a clean chroot using:
$ sbuild -s -A
Pitfall: In January 2018 when building the package on sid the result was not
installable on Wheezy and older because control.tar was compressed using xz
which isn't supported by Wheezy's dpkg. Building in a Stretch chroot works fine.
### finalize git stuff
$ git tag -s -m "pengutronix-archive-keyring $pkgversion" "$pkgversion"
$ git push origin "$pkgversion" HEAD
### update repositories
#### Copy key to archive user
$ year="$(date +%Y)"
$ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }')
$ gpg --pinentry-mode loopback --export-secret-keys -a $gpgid > /tmp/$gpgid
$ scp /tmp/$gpgid $archivehost:/tmp
$ ssh user@$archivehost
archivehost$ gpg-agent
archivehost$ gpg --pinentry-mode loopback --import < /tmp/$gpgid
#### Put package in the archive
Put the package into unstable:
$ pkgversion="$(date +%Y.%m.%d)"
$ dcmd scp pengutronix-archive-keyring_${pkgversion}_$(dpkg-architecture -q DEB_HOST_ARCH).changes $archivehost:public/incoming
and then copy it from unstable to all other distributions (on the archive host as the archive user with `cwd=~/public`):
$ for dist in $(sed -n 's/^Suite: //p' conf/distributions | grep -v unstable); do reprepro --export=never copy $dist sid pengutronix-archive-keyring; done
#### Let reprepro use the new key
Execute on the archive host as archive user:
$ year="$(date +%Y)"
$ gpgid=$(gpg --list-key --with-colons "Pengutronix Archive Signing Key ($year)" | awk -F: '$1 == "pub" { print $5 }')
$ for conf in */conf/distributions; do repo=${conf%/conf/distributions}; sed -i "s/^SignWith:.*/& $gpgid/" $conf; reprepro -b "$repo" export; done
TODO: The old key must be removed after some time, otherwise reprepro fails to
sign when the key expires. An icinga test checking the validity of the keys
would be great.
#### Publish new key on debian.pengutronix.de
$ gpg --export $gpgid > /home/publish/sites/debian.pengutronix.de/DocumentRoot/ptx-archive-key.gpg
$ touch /home/publish/sites/__sync__/debian.pengutronix.de
### reminder for next keyupdate
Add a reminder for the next keyupdate into the todo calendar around January next year.
|