Opened 8 years ago

Closed 3 years ago

#108 closed enhancement (fixed)

Signature on Debian should be able to use a conf file passphrase

Reported by: bruno Owned by: bruno
Priority: major Milestone: 0.14.2
Component: pb Version: 0.11.3
Keywords: Cc:


Signature on Debian should be able to use a conf file passphrase as on RPM, using the same params, to avoid having passwd asked interactively during build if user want so

Change History (10)

comment:1 Changed 8 years ago by bruno

  • Milestone changed from 0.11.4 to 0.11.5

comment:2 Changed 8 years ago by bruno

  • Milestone 0.11.5 deleted

Milestone 0.11.5 deleted

comment:3 Changed 7 years ago by bruno

  • Milestone set to 0.12.3
  • Status changed from new to assigned

There is an issue to sign deb packages, as the signature infra shold be on the delivery server, which is contrary to how pb behaves (the delivery server is not trusted). So for RPMs signature is done after packages are brought back from VM, locally signed (trusted) and pushed. That doesn't seem to be possible for deb packages.

Will need to find a workaround (maybe have a local deb infrastructure to sign debs before pushing all what is required). Would need the help of a savy Debian developer.

comment:4 Changed 5 years ago by bruno

Thanks to Marco Gaiarin I had that feedback:

Looking around lead me to:

so seems to me that, if you generate 'Release' files on the public ftp, the only way is to, by some way, copy back that file to your box, sign it, and copy to ftp 'Release.gpg'.

Last edited 4 years ago by bruno (previous) (diff)

comment:5 Changed 4 years ago by bruno

The solution for this is to use SSHFS between the build system and the delivery machine. That will solve the problem for good.

Last edited 3 years ago by bruno (previous) (diff)

comment:6 Changed 4 years ago by bruno

  • Milestone changed from 0.13.2 to 0.13.3

comment:7 Changed 3 years ago by bruno

With rev [2109] the proposal evoked by Marco has been implemented. To be tested with a Debian system to check it works as expected. Will be in 0.14.1.

The SSHFS possibility is still interesting and will be looked at later.

comment:8 Changed 3 years ago by bruno

0.14.1 doesn't solve it fully:

$ sudo apt-get update
Get:1 xenial-security InRelease [94.5 kB]
Hit:2 xenial InRelease
Get:3 xenial-updates InRelease [95.7 kB]
Hit:4 xenial-backports InRelease
Get:5 16.04 InRelease
Ign:5 16.04 InRelease
Get:6 16.04 Release [2,507 B]
Get:7 16.04 Release.gpg [196 B]
Ign:7 16.04 Release.gpg
Get:8 16.04/contrib Sources [3,557 B]
Get:9 16.04/contrib amd64 Packages [2,996 B]
Fetched 199 kB in 23s (8,553 B/s)
Reading package lists... Done
W: GPG error: 16.04 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 141B9FF237DB9883
W: The repository ' 16.04 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch  Unable to find expected entry 'contrib/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed
E: Some index files failed to download. They have been ignored, or old ones used instead.


$ cat /etc/os-release
VERSION="16.04.1 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.1 LTS"

comment:9 Changed 3 years ago by bruno

Seems to work fine with 0.14.2 beta. Still think SSHFS could be quicker, but will do that later. Closing for now.

comment:10 Changed 3 years ago by bruno

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.