ActiveDebianSync provides comprehensive GPG (GNU Privacy Guard) signing capabilities to ensure the integrity and authenticity of your Debian repository. This document explains why GPG signing is critical and how to use it effectively.
When a client runs apt update and apt install, it downloads packages from a repository over the network.
Without cryptographic verification, several attacks become possible:
Add the following to your config.json:
{
"gpg_signing_enabled": true,
"gpg_private_key_path": "/etc/ActiveDebianSync/gpg/private.key",
"gpg_public_key_path": "/etc/ActiveDebianSync/gpg/public.key",
"gpg_key_name": "My Organization Repository",
"gpg_key_email": "repo@example.com",
"gpg_key_comment": "Package signing key"
}
| Option | Type | Default | Description |
|---|---|---|---|
gpg_signing_enabled |
bool | false |
Enable/disable GPG signing |
gpg_private_key_path |
string | /etc/ActiveDebianSync/gpg/private.key |
Path to store private key |
gpg_public_key_path |
string | /etc/ActiveDebianSync/gpg/public.key |
Path to store public key |
gpg_key_name |
string | ActiveDebianSync Repository |
Name for generated keys |
gpg_key_email |
string | repo@activedebiansync.local |
Email for generated keys |
gpg_key_comment |
string | Automatic repository signing key |
Comment for generated keys |
When gpg_signing_enabled is true and ActiveDebianSync starts:
This means you can enable GPG signing with zero manual setup:
{
"gpg_signing_enabled": true
}
On first startup, you'll see:
INFO: GPG keys not found, generating new key pair...
INFO: Generating GPG key pair for ActiveDebianSync Repository <repo@activedebiansync.local>
INFO: Private key saved to: /etc/ActiveDebianSync/gpg/private.key
INFO: Public key saved to: /etc/ActiveDebianSync/gpg/public.key
INFO: GPG Key fingerprint: 1234ABCD5678EF90...
INFO: GPG signing enabled (new key pair generated automatically)
Key Specifications
Auto-generated keys use secure defaults
| Property | Value |
|---|---|
| Algorithm | RSA |
| Key Size | 4096 bits |
| Hash | SHA-256 |
| Cipher | AES-256 |
| Compression | ZLIB |
ActiveDebianSync provides CLI commands for GPG management:
activedebiansync gpg initactivedebiansync gpg export-key /path/to/output.ascactivedebiansync gpg export-key -activedebiansync gpg signactivedebiansync gpg info
Example: Manual Key Generation
activedebiansync gpg init
Generating GPG key pair...
Name: My Company Repository
Email: packages@mycompany.com
Comment: Official package signing key
Generating 4096-bit RSA key...
Private key saved to: /etc/ActiveDebianSync/gpg/private.key
Public key saved to: /etc/ActiveDebianSync/gpg/public.key
Key fingerprint: A1B2C3D4E5F6789012345678ABCDEF1234567890
GPG key pair generated successfully!
GPG Status
Get the current GPG signing status :curl http://127.0.0.1:9090/api/gpg/status
Response:
{
"enabled": true,
"status": "ready",
"key_exists": true,
"key_loaded": true,
"private_key_path": "/etc/ActiveDebianSync/gpg/private.key",
"public_key_path": "/etc/ActiveDebianSync/gpg/public.key",
"key_info": {
"name": "ActiveDebianSync Repository",
"email": "repo@activedebiansync.local",
"comment": "Automatic repository signing key",
"fingerprint": "A1B2C3D4E5F6789012345678ABCDEF1234567890",
"keyid": "ABCDEF1234567890",
"created": "2024-01-15T10:30:00Z",
"algorithm": "RSA",
"bits": "4096"
}
}
GPG Key Information
Get detailed key information: curl http://127.0.0.1:9090/api/gpg/info
Generate New Key
Generate a new GPG key pair via API:
curl -X POST http://127.0.0.1:9090/api/gpg/generatecurl -X POST http://127.0.0.1:9090/api/gpg/generate \
-H "Content-Type: application/json" \
-d '{"name": "My Repository","email": "admin@example.com","comment": "Package signing key"
}'curl -X POST http://127.0.0.1:9090/api/gpg/generate \
-H "Content-Type: application/json" \
-d '{"force": true}'
Response:
{
"status": "success",
"message": "GPG key pair generated successfully",
"key_info": {
"name": "My Repository",
"email": "admin@example.com",
"fingerprint": "...",
"created": "2024-01-15T10:30:00Z"
}
}
Sign Release Files
Trigger signing of all Release files:curl -X POST http://127.0.0.1:9090/api/gpg/sign
Response:
{
"status": "success",
"message": "All Release files signed successfully"
}
Export Public Key
Export the public key for distribution:
curl http://127.0.0.1:9090/api/gpg/export > repo-key.asc
curl "http://127.0.0.1:9090/api/gpg/export?format=json"
Get ready-to-use instructions for APT clients:
curl http://127.0.0.1:9090/api/gpg/instructions
JSON format
curl "http://127.0.0.1:9090/api/gpg/instructions?format=json"curl "http://127.0.0.1:9090/api/gpg/instructions?server_url=https://packages.example.com"
Public endpoint for clients to download the key:
curl http://your-server:9090/api/gpg-key > activedebiansync.asc
The easiest way to configure clients is to use the generated instructions:
curl http://your-server:9090/api/gpg/instructions
This outputs ready-to-run commands.
curl -fsSL http://your-server:9090/api/gpg-key | \
sudo gpg --dearmor -o /usr/share/keyrings/activedebiansync.gpg
echo "deb [signed-by=/usr/share/keyrings/activedebiansync.gpg] http://your-server:8080/debian bookworm main" | \
sudo tee /etc/apt/sources.list.d/activedebiansync.list
sudo apt update
After configuration, verify GPG is working:
Check for signature verification
apt update 2>&1 | grep -i gpg
# If successful, you should see:
# Get:1 http://your-server:8080/debian bookworm InRelease [X.X kB]
The older method using apt-key is deprecated but still works:
# NOT RECOMMENDED - use signed-by instead
curl -fsSL http://your-server:9090/api/gpg-key | sudo apt-key add -