GPG

Owned by Julio Capote (Unlicensed)
Last updated: Nov 22, 2016
3 min read

Overview

packagecloud:enterprise uses GPG keys to sign repository metadata. You can let packagecloud:enterprise generate a GPG key itself during install or you can import an existing GPG key.

Read more about GPG, RPM packages, and yum repos.

Read more about GPG, Debian packages, and apt repos.

Settings

packagecloud:enterprise can be configured to generate a GPG key for you or to use an existing GPG key.

GPG settings are configured under the packagecloud_gpg namespace in /etc/packagecloud/packagecloud.rb:

## This option enables GPG key generation by packagecloud:enterprise. If
## you have a GPG key you'd like to use instead, you should set this
## options to false.
packagecloud_gpg['generate_key'] = true

## This is the directory of the GPG keyring. Nearly all users should leave
## this option set to the default value.
packagecloud_gpg['key_directory'] = "/etc/packagecloud/gpgkey"

##
## If you want packagecloud to generate a key for you:
##
##   Change this setting to be the email address you want associated with ther
##   public key. This email address will be readable by anyone who sees your
##   public key.
##
## If you are importing an existing key:
##
##   Change this setting to be the email address that is associated with the
##   GPG key. You chose this when the key was generated.
##
packagecloud_gpg['email'] = "operations@companyname.tld"

##
## GPG key generation settings
##
## If you want packagecloud to generate a key for you, fill in these settings,
## otherwise, you can leave them unchanged and skip to the next section for
## instructions on importing an existing GPG key.
##
## Change these values so they are relevant for your company and packagecloud
## will generate a key for you based on these setings.
##
packagecloud_gpg['realname'] = "Companyname, Inc."
packagecloud_gpg['comment'] = "package repo key"
packagecloud_gpg['expire_date'] = "0"
packagecloud_gpg['length'] = "4096"

Once these settings are configured in your /etc/packagecloud/packagecloud.rb, you should run:

sudo packagecloud-ctl reconfigure

Important note about changing GPG keys

If you are changing the GPG key used for metadata signing and you have existing repositories with packages, you must run a task to regenerate the repository metadata and re-sign it with your new key.

To do this, run the command:

sudo packagecloud-ctl reindex-all

Depending on the number of packages, repos, and background workers you have, this may take some time to complete.

This will regenerate all repository metadata, resign it using the configured key, and re-upload the metadata and signatures to GPG.

The packages themselves are not downloaded or modified during this process.

You must also run

sudo packagecloud-ctl reconfigure

after changing your GPG key, as explained below.

GPG key import

If you have an existing GPG private key you'd like packagecloud to use for signing repository metadata, you'll need to set some options before importing it.

Make sure to set the following options in your /etc/packagecloud/packagecloud.rb configuration file:

  • packagecloud_gpg['generate_key'] to false since you have your own key.
  • packagecloud_gpg['email'] to the email address assocaited with the private key.

The value specified for packagecloud_gpg['key_directory'] will be needed in the next command. Nearly all users should use the default value, as it will be backed up when taking backups with packagecloud-ctl.

Next, you'll want to import the key. Keys are import via standard input, and you can script this using a shell heredoc:

sudo packagecloud-ctl gpg-private-key-import /etc/packagecloud/gpgkey <<EOF -----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1
...
EOF

After importing your key, you must run:

sudo packagecloud-ctl reconfigure

to prepare packagecloud:enterprise to use the GPG key.

After reconfigure has completed, you will be able to access the new public key at: https://your-domain.tld/gpg.key

If you are importing a new key to use and you have existing repositories, please see the section above "Important note about changing GPG keys".

GPG public and private key export

You can print your GPG public and private keys to standard output once they have been imported.

To print your GPG public key:

sudo packagecloud-ctl gpg-public-key-dump

To print your GPG private key:

sudo packagecloud-ctl gpg-private-key-dump