Debian Archive

1. Debian Archive Signing

Our apt repository requires signed uploads and releases are signed.

1.1. Upload Signing Keys

1.1.1. Generating An Upload Signing Key

Generate the key on your local machine, where you will be running pbuilder/uploading from, with:

gpg --full-gen-key

Keys used by admins to sign uploads should have the following attributes:

Ensure the keyid is set in ~/.devscripts so debsign will sign uploads with the correct key:


1.1.2. Importing a New Upload Key

Export the key that will be used to sign uploads

gpg --armor --export YOUR_KEYID_HERE

Copy the exported key to the debarchiver server, and import it:

sudo -u debarchiver gpg --no-default-keyring --keyring uploaders.gpg --import YOUR_KEYFILE_HERE

If managed using Puppet, enter the hcoop private data repository for gnupg and run as root:

gpg --no-default-keyring --keyring /path/to/private/puppet/module/files/debarchiver/gnupg/uploaders.gpg --import YOUR_KEYFILE_HERE

1.2. Archive Key

The Debian archive is signed, and the signing key should be rotated every year (currently February 2nd). The keyring is managed by Puppet, and is not committed to git. GPG has weird restrictions on the length of the agent socket filename, so you may need to symlink the directory into /root to work around them. You will also need to reset the default mask and we are using a POSIX ACL, and GPG removes the mask bits during key generation, negating all ACLs. As root:

ln -s /path/to/private/puppet/module/files/debarchiver/gnupg/ /root/debarchiver-gnupg
gpg --homedir /root/debarchiver-gnupg --full-gen-key
setfacl -m m::rwx -R /root/debarchiver-gnupg/
rm /root/debarchiver-gnupg

After generating, run sudo -u debarchiver gpg --list-secret-keys and copy the keyid of the private key that was generated to the debarchiver config option $gpgkey.

After the updated configuration is in place, regenerate the published public key: sudo -u debarchiver gpg --armour --export NEW_PUBLIC_KEYID | tee /afs/

2. Installing Packages to the Archive

debarchiver is configured to scan /afs/$dists every five minutes. The easiest way to install a package to the archive is to use dput on the .changes file. By uploading to a distinputdir, you can leave the distribution as unstable in the changelog, and upload a package to multiple releases. The package should be built using pbuilder for each target release, and the source tarballs must match.

You can to upload packages for backports into a distinput directory, but you still have to update the version in changelog.

Example ~/

fqdn = local
method = local
incoming = /afs/

fqdn = local
method = local
incoming = /afs/

fqdn = local
method = local
incoming = /afs/

To upload a new package,

3. Checking for new versions

Many packages supply][debian/watch files which allow for easy scanning of new upstream versions. Run uscan /afs/ occasionally to scan for new upstream versions.