On Sat, May 27, 2006 at 05:45:43AM +0900, Junichi Uekawa wrote: > > One simple solution would be not to pass the force options to apt if > > /etc/apt/trusted.gpg exists. But this should still need to be disabled > > in case I'm using an extra local source of packages I've built myself. > Yes, that's an issue I'm most worried about. > I was thinking of having some kind of > deb-noauth http://XXXX/ > kind of apt-lines, in addition to normal deb lines, to signify that I > don't want authentication because it's a local repos.
Hello. Yesterday I investigated on how to have a signed local repo and it's actually quite simple: #!/bin/sh rm -f Release Release.gpg dpkg-scanpackages . /dev/null > Packages apt-ftparchive release . > Release gpg -abs -o Release.gpg Release So I suppose it could be doable to add a pbuilder configuration option to tell apt to strictly enforce archive signatures, and then one can simply sign the local archives and add his/her key to the apt trusted.gpg: gpg --export 797EBFAB -a | apt-key add Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]