Univention Bugzilla – Bug 57312
Create Univention Corporate Server 5.2 archive signing key
Last modified: 2024-06-24 11:29:43 CEST
After the pullcord about expiring UCS repository signing keys we decided to create and use new signing keys for every minor release. Define the required steps in a refinement
cd /etc/archive-keys umask 0027 ; makepasswd --chars 40 > ucs5.2.txt chmod 0440 ucs5.2.txt # https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html cat >>ucs5.2.batch <<__EOF__ Key-Type: RSA Key-Length: 4096 Key-Usage: cert,sign Name-Real: Univention Corporate Server 5.2 Name-Email: packages@univention.de Expire-Date: 7y Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed # %pubring /root/.gnupg/pubring.gpg # %secring /root/.gnupg/secring.gpg %commit %echo done __EOF__ # /usr/bin/gpg -vvvvv --pinentry-mode loopback --batch --passphrase-file /etc/archive-keys/ucs5.2.txt --generate-key ucs5.2.batch gpg: using character set 'utf-8' gpg: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to agent established gpg: writing self signature gpg: RSA/SHA256 signature from: "0xC882B6F1F7229D9A [?]" gpg: writing public key to '/root/.gnupg/pubring.gpg' gpg: using pgp trust model gpg: key 0x292A41AFF510AADA: accepted as trusted key gpg: key 0x2D3B68C377EE285B: accepted as trusted key gpg: key 0xD293E501A055F562: accepted as trusted key gpg: key 0x2A5E8D1842C305FF: accepted as trusted key gpg: key 0xC882B6F1F7229D9A: accepted as trusted key gpg: key 0xC882B6F1F7229D9A marked as ultimately trusted gpg: writing to '/root/.gnupg/openpgp-revocs.d/92E57AE68A7988BD9651C222C882B6F1F7229D9A.rev' gpg: RSA/SHA256 signature from: "0xC882B6F1F7229D9A Univention Corporate Server 5.2 <packages@univention.de>" gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/92E57AE68A7988BD9651C222C882B6F1F7229D9A.rev' gpg: done # gpg --output univention-archive-key-ucs-52x.gpg --export 0xC882B6F1F7229D9A # install -m 0644 univention-archive-key-ucs-52x.gpg /var/univention/buildsystem2/mirror/ftp/univention-archive-key-ucs-52x.gpg # install -m 0644 univention-archive-key-ucs-52x.gpg /var/univention/buildsystem2/mirror/testing/univention-archive-key-ucs-52x.gpg # install -m 0644 univention-archive-key-ucs-52x.gpg /var/univention/buildsystem2/test_mirror/ftp/univention-archive-key-ucs-52x.gpg
ff61112d2c [5.0-8] Bug #57312: Add univention-archive-key-ucs-52x.gpg base/univention-archive-key/debian/changelog | 3 ++- .../debian/univention-archive-key-udeb.install | 1 + .../debian/univention-archive-key.install | 2 ++ .../debian/univention-archive-key.postinst | 3 ++- .../univention-archive-key-ucs-52x.gpg | Bin 0 -> 1185 bytes 5 files changed, 7 insertions(+), 2 deletions(-) Package: univention-archive-key Version: 10.0.3-1 Branch: 5.0-0 Scope: ucs5.0-8
UCS 5.0-8 has been released: https://docs.software-univention.de/release-notes/5.0-8/en/ If this error occurs again, please use the 'Clone This Bug' option.
Successful build Package: univention-archive-key Version: 11.0.3 Branch: 5.1-0 Successful build Package: univention-archive-key Version: 12.0.2 Branch: 5.2-0