Re: Packages getting created without signature
Hello, On Fri, 14 Dec 2007, iluvlinux wrote: Storing your passphrase in a file or ENV variable is never safe as told in documents and by mentors. True enough. Yet ... than here's what i found: gpg's default home dir is ~/.gunpg (you can change it using --homedir option, using this option will, upto some extent provides at-least some security as no one knows where your default directory is) create a file gpg.conf in that folder and edit it to contain text as passphrase your-passphrase ... here you are suggesting that you store the passphrase in a file! A much better option is to use the gpg agent. As far as signing packages is concerned, I would recommend that you never do this in the background. You need to verify the package *before* you sign it. Your signature on the package affirms that you have checked it as thoroughly as possible and are certifying this. So run lintian, piuparts and so on before you sign a package. Regards, Kapil. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
hi but dpkg-buildpackage command asks for passphrase just before building the package (at dh_builddeb ). so how can i check it with lintian etc. Do you want that first i should build a package, check it and than use gpg separately for signing the package? bye Kapil Hari Paranjape wrote: Hello, On Fri, 14 Dec 2007, iluvlinux wrote: Storing your passphrase in a file or ENV variable is never safe as told in documents and by mentors. True enough. Yet ... than here's what i found: gpg's default home dir is ~/.gunpg (you can change it using --homedir option, using this option will, upto some extent provides at-least some security as no one knows where your default directory is) create a file gpg.conf in that folder and edit it to contain text as passphrase your-passphrase ... here you are suggesting that you store the passphrase in a file! A much better option is to use the gpg agent. As far as signing packages is concerned, I would recommend that you never do this in the background. You need to verify the package *before* you sign it. Your signature on the package affirms that you have checked it as thoroughly as possible and are certifying this. So run lintian, piuparts and so on before you sign a package. Regards, Kapil. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14332645.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
iluvlinux wrote: but dpkg-buildpackage command asks for passphrase just before building the package (at dh_builddeb ). so how can i check it with lintian etc. You can sign it when dpkg-buildpackage asks you. Since you will have to be actually there to do that you can then run lintian to check the package as well. Do you want that first i should build a package, check it and than use gpg separately for signing the package? You can do this as an alternative. Also note that unless you are building the package on a Debian box running sid/unstable then you *must also* build it again in a sid chroot using something like pbuilder. You can then use deb-sign to sign the package before you upload it. -- Colin Tuckley | +44(0)1903 236872 | PGP/GnuPG Key Id Debian Developer | +44(0)7799 143369 | 0x1B3045CE Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
Hello, On Fri, 14 Dec 2007, iluvlinux wrote: but dpkg-buildpackage command asks for passphrase just before building the package (at dh_builddeb ). so how can i check it with lintian etc. Do you want that first i should build a package, check it and than use gpg separately for signing the package? Use no key --- look at the -uc -us switches to dpkg-buildpackage. Note that if you use pbuilder to build the package (which is recommended) then the package created is not signed since it is created within a chroot where your keyring is not present. Later you can sign the changes file using debsign. This is how I do things. If you work on a multi-user system then you may want to be more careful. Regards, Kapil. -- signature.asc Description: Digital signature
Re: Packages getting created without signature
hi thanks for all the replies i got it how to package with signatures but one more information i need is i have to give -k option to dpkg-buildpackage command ie $ dpkg-buildpackage -rfakeroot -kKEY -sgpg And at the end it asks for passphrase So is there any way that i can automate this stuff. ie the dpkg-buildpkg should not ask for passphrase every time i build a new package, it should take it from a file or some ENV variable. bye iluvlinux wrote: hi kumar thanks for that link do you know about any documentation which explains how to build packages using signature that is to say what steps do i need to take care of while building the same. bye Kumar Appaiah wrote: On Wed, Dec 12, 2007 at 04:44:03AM -0800, iluvlinux wrote: hi i don't have a GPG key, and i also don't know how to create one. i went through the maintainers guide at location http://www.debian.org/doc/maint-guide/index.en.html#contents http://www.debian.org/doc/maint-guide/index.en.html#contents You definitely need a GPG key, because, even to upload to Debian mentors, the processing of your upload requires your public key. So, please read a GPG howto, and get a key made! :-) Here's one: http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html HTH. Look forward to your contributions to Debian! :-) Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14313530.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
On Thursday 13 December 2007, iluvlinux wrote: but one more information i need is i have to give -k option to dpkg-buildpackage command ie $ dpkg-buildpackage -rfakeroot -kKEY -sgpg nitpick the '-rfakeroot' is no longer necessary when using dpkg = 1.14.7, as in that case dpkg will use fakeroot by default if present /nitpick -- Cheers, cobaco (aka Bart Cornelis) signature.asc Description: This is a digitally signed message part.
Re: Packages getting created without signature
iluvlinux wrote: [snip] ie $ dpkg-buildpackage -rfakeroot -kKEY -sgpg [snip] Complementing what Bart said: '-kKEY' and '-sgpg' are also not needed. The '-k' is mostly only needed for sponsoring uploads. After a quick read of the thread, it seems you intend on maintaining this package yourself. The '-sgpg' switch is also not necessary in this context. Read dpkg-buildpackage's manpage to understand why. So is there any way that i can automate this stuff. ie the dpkg-buildpkg should not ask for passphrase every time i build a new package, it should take it from a file or some ENV variable. This would be VERY unsafe. You have to understand the basics of cryptography and - more importantly - the REASON for cryptography in Debian to see that you have to keep your GPG key very safe and that includes not storing your passphrase in any easily accessible place. This definition of easily is very debated, but certainly a config file or an ENV variable don't pass any test. Most people agree that your passphrase shouldn't be stored at all, if possible, and instead you should just backup your key and your revocation certificate in safe, offline places, in case of emergency. Do some research on the topic. Wikipedia is your friend (even if it's not always particularly right about everything). It might ease your life if you intend on becoming a Debian Maintainer or Developer. Cheers and good luck with the package! -- Leo costela Antunes [insert a witty retort here] signature.asc Description: OpenPGP digital signature
Re: Packages getting created without signature
I think that the -k is used to specify which key to use. You can have multiple GPG keys. I don't know the safe way to do what you're asking. But if you find out please let me know. :) Thanks, Michael On 13/12/2007, cobaco (aka Bart Cornelis) [EMAIL PROTECTED] wrote: On Thursday 13 December 2007, iluvlinux wrote: but one more information i need is i have to give -k option to dpkg-buildpackage command ie $ dpkg-buildpackage -rfakeroot -kKEY -sgpg nitpick the '-rfakeroot' is no longer necessary when using dpkg = 1.14.7, as in that case dpkg will use fakeroot by default if present /nitpick -- Cheers, cobaco (aka Bart Cornelis) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
On Thu, Dec 13, 2007 at 11:56:52PM +1100, Michael Lamothe wrote: I think that the -k is used to specify which key to use. You can have multiple GPG keys. I don't know the safe way to do what you're asking. But if you find out please let me know. :) Well, there's always gpg-agent, of course... isn't this pretty much what it was *written* for? :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. pgpYiDdXVvvVo.pgp Description: PGP signature
Re: Packages getting created without signature
Peter Pentchev wrote: Well, there's always gpg-agent, of course... isn't this pretty much what it was *written* for? :) Yes, but gpg-agent is a short term temporary volatile cache! Which is very different from putting your passphrase in the ENVIRONMENT or a script. -- Colin Tuckley | +44(0)1903 236872 | PGP/GnuPG Key Id Debian Developer | +44(0)7799 143369 | 0x1B3045CE Try to learn from other people's mistakes, you haven't time to make them all yourself! - Anon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
Hi, I'm new to this list and new to packaging but I might be able to help. I'm not sure that I'm supposed to respond to you as a non-mentor but I'm sure that I'll find out the hard way very quickly. Firstly, do you have a GPG key? i.e. Have you created one? And secondly, what command are you using to build. Thanks, Michael On 12/12/2007, iluvlinux [EMAIL PROTECTED] wrote: hi i am a beginner in packaging, when i try to create a package, it builds but with no signatures how can i rectify this? kindly help bye -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14292654.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Packages getting created without signature
hi i am a beginner in packaging, when i try to create a package, it builds but with no signatures how can i rectify this? kindly help bye -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14292654.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
hi i don't have a GPG key, and i also don't know how to create one. i went through the maintainers guide at location http://www.debian.org/doc/maint-guide/index.en.html#contents http://www.debian.org/doc/maint-guide/index.en.html#contents i am using dpkg-buildpackage -rfakeroot bye Michael Lamothe wrote: Hi, I'm new to this list and new to packaging but I might be able to help. I'm not sure that I'm supposed to respond to you as a non-mentor but I'm sure that I'll find out the hard way very quickly. Firstly, do you have a GPG key? i.e. Have you created one? And secondly, what command are you using to build. Thanks, Michael On 12/12/2007, iluvlinux [EMAIL PROTECTED] wrote: hi i am a beginner in packaging, when i try to create a package, it builds but with no signatures how can i rectify this? kindly help bye -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14292654.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14294430.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Packages getting created without signature
On Wed, Dec 12, 2007 at 04:44:03AM -0800, iluvlinux wrote: hi i don't have a GPG key, and i also don't know how to create one. i went through the maintainers guide at location http://www.debian.org/doc/maint-guide/index.en.html#contents http://www.debian.org/doc/maint-guide/index.en.html#contents You definitely need a GPG key, because, even to upload to Debian mentors, the processing of your upload requires your public key. So, please read a GPG howto, and get a key made! :-) Here's one: http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html HTH. Look forward to your contributions to Debian! :-) Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Packages getting created without signature
hi kumar thanks for that link do you know about any documentation which explains how to build packages using signature that is to say what steps do i need to take care of while building the same. bye Kumar Appaiah wrote: On Wed, Dec 12, 2007 at 04:44:03AM -0800, iluvlinux wrote: hi i don't have a GPG key, and i also don't know how to create one. i went through the maintainers guide at location http://www.debian.org/doc/maint-guide/index.en.html#contents http://www.debian.org/doc/maint-guide/index.en.html#contents You definitely need a GPG key, because, even to upload to Debian mentors, the processing of your upload requires your public key. So, please read a GPG howto, and get a key made! :-) Here's one: http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html HTH. Look forward to your contributions to Debian! :-) Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 -- View this message in context: http://www.nabble.com/Packages-getting-created-without-signature-tp14292654p14310223.html Sent from the debian-mentors mailing list archive at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]