我们将一些软件包作为 deb 托管在自己的存储库中。出于原型目的,我们一直在“未经身份验证”的情况下运行。现在我们正尝试更正确地执行操作并执行整个 GPG 操作。我尝试过以下内容,仅用于测试运行:
1)使用gpg-gen
~$ gpg --list-keys
/home/me/.gnupg/pubring.gpg
--------------------------------
pub 4096R/BBBBB39F 2017-03-09
uid Someone Somebody <[email protected]>
sub 4096R/129E9336 2017-03-09
(顺便问一下,SUB 在那里吗?)
2)aptly publish...这提示我输入所述密钥的密码,因此它必须在此时对该密钥执行某些操作。
3)使用以下方式导出密钥gpg —export —armor > somefile.pubkey
4)将一些 file.pubkey 复制到测试机器上
5)运行sudo apt-key add somefile.pubkey
sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-03-09 [SC]
E51B E216 4658 FB8B 6E42 8A09 F9BC EF4C BBBB B39F
uid [ unknown] Someone Somebody <[email protected]>
sub rsa4096 2017-03-09 [E]
…
…
…
那么,它似乎已经进入了那里。子项现在显示的方式有所不同?
6)最后sudo apt-get update:
~$ sudo apt-get update
Hit:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://ftp.us.debian.org/debian stretch-updates InRelease
Hit:3 http://security.debian.org stretch/updates InRelease
Get:4 http://our.aptly.repo stretch InRelease [2317 B]
Ign:4 http://our.aptly.repo stretch InRelease
Fetched 2317 B in 9s (256 B/s)
Reading package lists... Done
W: GPG error: http://our.aptly.repo stretch InRelease: The following signatures were invalid: E51BE2164658FB8B6E428A09F9BCEF4CBBBBB39F
W: The repository 'http://our.aptly.repo stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
我不明白这里发生了什么。违规行为似乎是某些东西没有签名?我错过了什么步骤?