Automatically sign package files from debuild and upload with dput

ppa gnupg launchpad packaging

I've created a source package for I library I'm working on. I use debuild to build it and then I can successfully upload it with dput.

Now I want to set it up so that I can do this automatically from Jenkins. The main issue I'm running into is signing the .dsc and .changes files. What I'm trying to do is sign the packages with gpg rather than having debuild do it. This way I can sign the files automatically with the gpg option --passphrase-fd 0.

So I use debuild with the options -uc and -us and then clearsign the files with gpg. But when I do this it creates a separate .dsc.asc and source.changes.asc. When I then try to upload with dput I get the error

Checking signature on .changes
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

This would seem to suggest that I should list the .asc file as an argument to dput but I can't get this to work.


Solution 1:

I found the following solution with debsign and the -p option:

  • use debuild without the signature, as you mentioned

  • use then debsign with -p option setting the passphrase to use, like this

    debsign \
  -p'gpg --passphrase-file /home/myname/my_passphrase_file.txt --batch --no-use-agent'\
  -S -kMYKEYID package_source.change

Still having some other issues, but this part looks like working. Signing files with GPG directly does not work as the checksums computed during the debuild are changed.

I always prefer storing keys with passphrase anyway.

Solution 2:

The easy answer is: Launchpad daily builds, they do all of this for you, fairly securely.

If you want to be doing source upload from Jenkins, then I suggest creating a key just for this Jenkins job. Having a passphrase on it wouldn't improve the security very much, if the Jenkins job would have to know the passphrase, so one might as well just leave it unprotected.

If you really want to sign the .dsc and .changes files by hand, sign them with gpg --clearsign, and rename the .asc files over the originals.

Related

Full install of Ubuntu on a USB drive
No picture with a Microsoft VX-1000 webcam in Skype
Read-only filesystem error [duplicate]
Packages of graphic card driver for GeForce GTX 960M by Ubuntu 14.04
How do I get ipv4/inet working in a arm lxc container running on intel host?
Problems with libgtk after upgrading to 16.04
How to Upgrade Linux Kernel 4.0.2?
16.04 Delete key not working
How to raise failed network interfaces after upgrade to Ubuntu 16.04
Ubuntu Server 19.04 Not installing Ethernet firmware on Dell Poweredge R610
How to start Ubuntu installer in a graphical safe mode?
How can I move the System menu on the top bar to the left side?