On 2021-07-01 14:26:48 -0400 (-0400), Kyle Edwards wrote: > On 7/1/21 2:19 PM, Jeremy Stanley wrote: > > Also, as other's have stated, deb822 might be a cleaner way to > > express this. > > I'm a little confused - I thought deb822 was just a generic format > used in various places throughout Debian, including in the Release > files. Where specifically would the signed-by information be > stored? In the Release file as you said below, or somewhere on the > user's machine?
Check out the sources.list manpage: "The files list one source per line (one-line style) or contain multiline stanzas defining one or more sources per stanza (deb822 style), ..." And then there's an entire DEB822-STYLE FORMAT section which explains in greater detail. > > On top of that, you can embed Signed-By fields with your key > > fingerprint in your repository's Release files, in order to > > highlight if someone gets an updated index which is signed by a > > different key than you previously indicated it should be. I > > think anything as recent as Stretch should support all of this. > > Thanks. Our primary target is Ubuntu - does Ubuntu 18.04 support > this? Ubuntu ships tweaked snapshots of Sid for most stuff, and that dates since well after Stretch froze for release. Of course, try it to be sure, but I just checked an Ubuntu 16.04 LTS machine and the sources.list manpage there indicates support for deb822. As for Signed-By in Release files, Ubuntu 18.04 does seem to have support according to the apt changelog, any version newer than 1.3 ought to include support and it has 1.6 so should be plenty new enough for that. -- Jeremy Stanley
signature.asc
Description: PGP signature