mirror of
https://github.com/aptly-dev/aptly.git
synced 2026-05-06 22:18:28 +00:00
Tim Foerster
d616977904
Both the external GPG signer (--faked-system-time) and internal Go
OpenPGP signer (signerConfig.Time) now honor SOURCE_DATE_EPOCH,
producing reproducible signatures alongside the plain Release file dates.
Adds system tests for both signer backends verifying byte-identical
Release, Release.gpg and InRelease across repeated publishes.
The signer tests (PublishRepo3[78]Test) are using an ed25519 key because
ed25519 signatures are deterministic by design. The Go openpgp library
uses a random nonce for DSA/ECDSA (see signature.go Sign calls using
config.Random() link below) so those signatures vary across runs
even with a fixed timestamp, making byte-identical verification impossible.
In addition to 49f342878a
Ref: https://github.com/aptly-dev/aptly/pull/1537
Ref: https://github.com/ProtonMail/go-crypto/blob/v1.4.0/openpgp/packet/signature.go#L945-L979
15 lines
674 B
Plaintext
15 lines
674 B
Plaintext
Loading packages...
|
|
Generating metadata files and linking package files...
|
|
Finalizing metadata files...
|
|
Signing file 'Release' with gpg, please enter your passphrase when prompted:
|
|
Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
|
|
|
|
Local repo local-repo has been successfully published.
|
|
Please setup your webserver to serve directory '${HOME}/.aptly/public' with autoindexing.
|
|
Now you can add following line to apt sources:
|
|
deb http://your-server/ maverick main
|
|
deb-src http://your-server/ maverick main
|
|
Don't forget to add your GPG key to apt with apt-key.
|
|
|
|
You can also use `aptly serve` to publish your repositories over HTTP quickly.
|