Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet: Feed Signing Key
-
Hi all,
I want to test ProGet as an APT Proxy for example
http://security.ubuntu.com/ubuntu/The packages downloaded from the ProGet APT Proxy and the original Ubuntu Repositories have the identical md5sum.
ProGet creates for the feed a special signing key, which I can download with curl at Update archive Usage Instructions.
I use the feed only for caching. I do not want upload own Debian packages.
In this special case the packages and the (In)Release files should be mirrored and signed with the original Ubuntu Key.
Then I can verify the packages with the original Ubuntu key, which is already installed.
Thank you
Stefan
-
Hi @stno_9153 ,
(In)Release files are signed using a private/public key scheme, so unless you were somehow able to get a copy of Ubuntu's private signing keys and upload it to ProGet... it is not possible to sign those files using the original Ubuntu Key.
Cheers,
Alana
-
Hi Alana,
various tools for example debmirror are syncing and using the orginal (In)Release files from the debian mirror and do not sign the (In)Release files.
Therefore the packages from my old Debian Repository Server with debmirror can be validated by the Public Ubuntu Signing Key.
Thanks Stefan
-
Hi @stno_9153 ,
Thanks for clarifying; that's not possible with ProGet. A Debian feed is not designed to be a "read-only mirror", but instead a repository where you can add/filter/update packages. So, that's why ProGet must generate/sign the (In)Release files.
I'm afraid we have no plans to support a read-only mirror use case in the forseeable future.
Cheers,
Alana
-
Hi Alana,
thank you for your reply
