We host some of our own software packages as debs in a repository of our own. For prototyping purposes, we’ve been running “unauthenticated”. Now we're trying to do things more correctly and do the whole GPG thing. What I’ve tried, just for test run is the following:
1) Make a key with gpg-gen
~$ gpg --list-keys
/home/me/.gnupg/pubring.gpg
--------------------------------
pub 4096R/BBBBB39F 2017-03-09
uid Someone Somebody <someone@somewhere.com>
sub 4096R/129E9336 2017-03-09
(what btw, is the SUB thing there?)
2) aptly publish... This prompts me for my passphrase for said key, so it must be doing something with the key at that point.
3) export the key using gpg —export —armor > somefile.pubkey
4) copy some file.pubkey over to a test machine
5) run sudo apt-key add somefile.pubkey
sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-03-09 [SC]
E51B E216 4658 FB8B 6E42 8A09 F9BC EF4C BBBB B39F
uid [ unknown] Someone Somebody <someone@somewhere.com>
sub rsa4096 2017-03-09 [E]
…
…
…
So, it seems to have gotten in there. The sub thing shows up differently now?
6) And finally, sudo apt-get update:
~$ sudo apt-get update
Hit:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://ftp.us.debian.org/debian stretch-updates InRelease
Hit:3 http://security.debian.org stretch/updates InRelease
Get:4 http://our.aptly.repo stretch InRelease [2317 B]
Ign:4 http://our.aptly.repo stretch InRelease
Fetched 2317 B in 9s (256 B/s)
Reading package lists... Done
W: GPG error: http://our.aptly.repo stretch InRelease: The following signatures were invalid: E51BE2164658FB8B6E428A09F9BCEF4CBBBBB39F
W: The repository 'http://our.aptly.repo stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I don’t understand what’s happening here. The offense seems to be that something is not signed? What step did I miss?
