Setup GPG to sign Debian/Ubuntu packages
THIS PAGE IS OBSOLETE
Packages for Debian-based systems (including Ubuntu) need to be digitally signed to check authenticity of packager (and thus integrity of the package). In fact, to be able to upload a source package to Launchpad, it should be able to determine who signed the package (otherwise it'll reject the source package upload and won't build debs).
The source of this page, GnuPrivacyGuardHowto page on Ubuntu wiki, has detailed documentation about GnuPG (and other related programs). But for the purposes of packaging (for Debian-based systems) a packager only needs to setup a few things. Follow instructions on this page to get up and running with signing DEB packages:
Note: This has been tested on Ubuntu 12.04 and Debian 6.0.5.
Installing GnuPG
The program we will be using, 'gpg' from 'gnupg' package, is already installed by default on Debian and Ubuntu systems. But in case you removed/purged it from your system, you can install by running following command on a terminal:
sudo apt-get -y install gnupg
Creating GnuPG key
Step #1: Note down the gnupg version on your system using:
gpg --version | head -1
Version information is needed in Step #3 below.
Step #2: Open a terminal and run:
gpg --gen-key
Step #3: If you are using gnupg version 1.4.10 or newer, this will lead to a selection screen with the following options:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)
Select the option: (1) RSA and RSA (default)
If you are using an older version (pre 1.4.10 version), the selection screen will have the following options:
Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)
Select the option: (5) RSA (sign only)
Step #4: Next you'll see the following selection screen:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
The default keysize of 2048 is a good choice. Simply press RETURN/ENTER key.
Step #5: Now you'll see following selection screen:
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
Again, the default option 0 (which means that key does NOT expire ever) is a good choice. Simply press RETURN/ENTER key.
It'll prompt you to confirm that:
Key does not expire at all Is this correct? (y/N)
Input y and then press ENTER/RETURN.
Step #6: Now it'll prompt you to input your real name, email and a comment (so that you can identify this key in future):
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Email address: Comment:
Simply input the appropriate information. It'll prompt you to confirm/edit your inputs:
You selected this USER-ID: "Test User (Testing) <test.user@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Input O and press ENTER/RETURN key to continue.
Step #7: Now you'll see this screen:
You need a Passphrase to protect your secret key.
Input a passphrase (twice!) and don't forget it! If you forget this passphrase, this key will become useless.
Step #8: Now, you'll see:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
As it says, perform some random action on your system (type on the keyboard, move the mouse, utilize the disks) so that it can generate random bytes. You may see messages like following at regular intervals:
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need X more bytes)
Don't worry, the program will automatically proceed to the next step when it'll have sufficient random bytes.
Step #9: Eventually you'll see following screen (and 'gpg' will exit):
gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed. pub 1024D/D8FC66D2 2005-09-08 Key fingerprint = 95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2 uid Test User(Testing) <test.user@example.com> sub 2048g/389AA63E 2005-09-08
The key-id is D8FC66D2 (your key will be different).
Optional settings
Optionally, to set this key as the default GPG key to be used by the applications that use GPG, append this line to ~/.bashrc file:
export GPGKEY=<PUT_KEY_ID_HERE>
Then restart the gpg-agent and source your ~/.bashrc using:
killall -q gpg-agent eval $(gpg-agent --daemon) source ~/.bashrc
Uploading the key to the Ubuntu keyserver
Now you should upload the public key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will automatically propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key.
Using GnuPG
To upload the key to Ubuntu keyserver, run:
gpg --send-keys --keyserver keyserver.ubuntu.com <PUT_KEY_ID_HERE>
Using a web browser
TBD
Key validation on Launchpad
TBD
Signing the Ubuntu Code of Conduct
TBD
Useful resources
TBD