Signature on Debian should be able to use a conf file passphrase

[Bruno Cornec]

Signature on Debian should be able to use a conf file passphrase as on RPM, using the same params, to avoid having passwd asked interactively during build if user want so

[Bruno Cornec]

Milestone 0.11.5 deleted

[Bruno Cornec]

There is an issue to sign deb packages, as the signature infra shold be on the delivery server, which is contrary to how pb behaves (the delivery server is not trusted). So for RPMs signature is done after packages are brought back from VM, locally signed (trusted) and pushed. That doesn't seem to be possible for deb packages.

Will need to find a workaround (maybe have a local deb infrastructure to sign debs before pushing all what is required). Would need the help of a savy Debian developer.

[Bruno Cornec]

Thanks to Marco Gaiarin I had that feedback:

Looking around lead me to:

​https://wiki.debian.org/SecureApt#Setting_up_a_secure_apt_repository

so seems to me that, if you generate 'Release' files on the public ftp, the only way is to, by some way, copy back that file to your box, sign it, and copy to ftp 'Release.gpg'.

[Bruno Cornec]

The solution for this is to use SSHFS between the build system and the delivery machine. That will solve the problem for good.

[Bruno Cornec]

With rev [2109] the proposal evoked by Marco has been implemented. To be tested with a Debian system to check it works as expected. Will be in 0.14.1.

The SSHFS possibility is still interesting and will be looked at later.

[Bruno Cornec]

0.14.1 doesn't solve it fully:

$ sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:5 ftp://ftp.mondorescue.org//ubuntu 16.04 InRelease
Ign:5 ftp://ftp.mondorescue.org//ubuntu 16.04 InRelease
Get:6 ftp://ftp.mondorescue.org//ubuntu 16.04 Release [2,507 B]
Get:7 ftp://ftp.mondorescue.org//ubuntu 16.04 Release.gpg [196 B]
Ign:7 ftp://ftp.mondorescue.org//ubuntu 16.04 Release.gpg
Get:8 ftp://ftp.mondorescue.org//ubuntu 16.04/contrib Sources [3,557 B]
Get:9 ftp://ftp.mondorescue.org//ubuntu 16.04/contrib amd64 Packages [2,996 B]
Fetched 199 kB in 23s (8,553 B/s)
Reading package lists... Done
W: GPG error: ftp://ftp.mondorescue.org//ubuntu 16.04 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 141B9FF237DB9883
W: The repository 'ftp://ftp.mondorescue.org//ubuntu 16.04 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch ftp://ftp.mondorescue.org//ubuntu/dists/16.04/Release  Unable to find expected entry 'contrib/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed
file)
E: Some index files failed to download. They have been ignored, or old ones used instead.

Context:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

[Bruno Cornec]

Seems to work fine with 0.14.2 beta. Still think SSHFS could be quicker, but will do that later. Closing for now.