The document on secure APT contains an excellent explanation of what secure APT actually is. One section is empty though–the one about setting up your own secure APT repo.
I have some circumstantial evidence that my local APT repo is secure.
apt-get update complained about packages being “unsecure” when I installed from it. Then I signed my
Release file, and instead I was told that the key was missing. Then I used
apt-key to add my GPG key and the complaint went away.
mini-dinstall to manage my local repo. At some point I’m planning on synchronising it to another computer so that it’s available to others as well, but due to bandwidth problem I haven’t started doing this yet.
~/.dput.conf looks like this:
[DEFAULT] allow_unsigned_uploads = 0 [local] fqdn = localhost method = local incoming = /usr/local/apt/mini-dinstall/incoming post_upload_command = mini-dinstall --batch
As you can see my local repo lives in
/usr/local/apt. Then the
~/.mini-dinstall.conf looks like this:
[DEFAULT] architectures = all, i386 archivedir = /usr/local/apt use_dnotify = 0 verify_sigs = 1 extra_keyrings = ~/ms_home/secret/gnupg/pubring.gpg mail_on_success = 0 archive_style = flat poll_time = 40 mail_log_level = NONE generate_release = 1 release_description = Magnus' Funky Packages release_signscript = ~/bin/release_sign
Most of this should be obvious to anyone who’s read the manpage. The only interesting bit is the
release_signscript at the end. Based on information in the manpage I wrote this little shell script:
#! /bin/sh gpg --detach-sign --armor --output Release.gpg $1
Pretty straight forward really!