Setup GPG to sign Debian/Ubuntu packages

From OpenCog
Jump to: navigation, search


Packages for Debian-based systems (including Ubuntu) need to be digitally signed to check authenticity of packager (and thus integrity of the package). In fact, to be able to upload a source package to Launchpad, it should be able to determine who signed the package (otherwise it'll reject the source package upload and won't build debs).

The source of this page, GnuPrivacyGuardHowto page on Ubuntu wiki, has detailed documentation about GnuPG (and other related programs). But for the purposes of packaging (for Debian-based systems) a packager only needs to setup a few things. Follow instructions on this page to get up and running with signing DEB packages:

Note: This has been tested on Ubuntu 12.04 and Debian 6.0.5.

Installing GnuPG

The program we will be using, 'gpg' from 'gnupg' package, is already installed by default on Debian and Ubuntu systems. But in case you removed/purged it from your system, you can install by running following command on a terminal:

sudo apt-get -y install gnupg

Creating GnuPG key

Step #1: Note down the gnupg version on your system using:

gpg --version | head -1

Version information is needed in Step #3 below.

Step #2: Open a terminal and run:

gpg --gen-key

Step #3: If you are using gnupg version 1.4.10 or newer, this will lead to a selection screen with the following options:

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Select the option: (1) RSA and RSA (default)

If you are using an older version (pre 1.4.10 version), the selection screen will have the following options:

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)

Select the option: (5) RSA (sign only)

Step #4: Next you'll see the following selection screen:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

The default keysize of 2048 is a good choice. Simply press RETURN/ENTER key.

Step #5: Now you'll see following selection screen:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 

Again, the default option 0 (which means that key does NOT expire ever) is a good choice. Simply press RETURN/ENTER key.

It'll prompt you to confirm that:

Key does not expire at all
Is this correct? (y/N) 

Input y and then press ENTER/RETURN.

Step #6: Now it'll prompt you to input your real name, email and a comment (so that you can identify this key in future):

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name:
Email address:

Simply input the appropriate information. It'll prompt you to confirm/edit your inputs:

You selected this USER-ID:
    "Test User (Testing) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

Input O and press ENTER/RETURN key to continue.

Step #7: Now you'll see this screen:

You need a Passphrase to protect your secret key.

Input a passphrase (twice!) and don't forget it! If you forget this passphrase, this key will become useless.

Step #8: Now, you'll see:

We need to generate a lot of random bytes. It is a good idea to 
perform some other action (type on the keyboard, move the mouse, 
utilize the disks) during the prime generation; this gives the
random number generator a better chance to gain enough entropy.

As it says, perform some random action on your system (type on the keyboard, move the mouse, utilize the disks) so that it can generate random bytes. You may see messages like following at regular intervals:

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need X more bytes)

Don't worry, the program will automatically proceed to the next step when it'll have sufficient random bytes.

Step #9: Eventually you'll see following screen (and 'gpg' will exit):

gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.

pub   1024D/D8FC66D2 2005-09-08
      Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Test User(Testing) <>
sub   2048g/389AA63E 2005-09-08

The key-id is D8FC66D2 (your key will be different).

Optional settings

Optionally, to set this key as the default GPG key to be used by the applications that use GPG, append this line to ~/.bashrc file:


Then restart the gpg-agent and source your ~/.bashrc using:

killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Uploading the key to the Ubuntu keyserver

Now you should upload the public key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will automatically propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key.

Using GnuPG

To upload the key to Ubuntu keyserver, run:

gpg --send-keys --keyserver <PUT_KEY_ID_HERE>

Using a web browser


Key validation on Launchpad


Signing the Ubuntu Code of Conduct


Useful resources