Busk: Created page with "To resolve the "repository is not signed" error, you need to generate a GPG key, use it to sign your repository's `Release` file, and then add the public key to your host's tr..."

2025-08-24T18:42:29Z

Created page with "To resolve the "repository is not signed" error, you need to generate a GPG key, use it to sign your repository's `Release` file, and then add the public key to your host's tr..."

New page

To resolve the "repository is not signed" error, you need to generate a GPG key, use it to sign your repository's `Release` file, and then add the public key to your host's trusted keys.

Here’s the step-by-step process.

-----

### 1\. Generate a GPG Key

First, generate a GPG key pair on the machine where you build the repository. This key will be used for signing.

1. Run the key generation command:

```bash
gpg --full-generate-key
```

2. Follow the prompts. Reasonable defaults are usually fine:

* Select **(1) RSA and RSA**.
* For key size, enter **4096**.
* Set an expiration period (e.g., `1y` for one year) or choose `0` for no expiration.
* Enter your real name and email address.
* Enter a secure passphrase.

3. List your keys to find the **Key ID**. You will need this for the signing script.

```bash
gpg --list-secret-keys --keyid-format=long
```

The output will look similar to this. Your Key ID is the long string of characters after `rsa4096/`.

```
/home/user/.gnupg/pubring.kbx
-----------------------------
sec rsa4096/A1B2C3D4E5F6G7H8 2025-08-24 [SC] [expires: 2026-08-24]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ultimate] Your Name <your.email@example.com>
ssb rsa4096/1A2B3C4D5E6F7G8H 2025-08-24 [E]
```

In this example, the Key ID is `A1B2C3D4E5F6G7H8`.

-----

### 2\. Update Your Repository Script to Sign the Release

Modify your script to sign the `Release` file using the GPG key you just created. This generates the `InRelease` and `Release.gpg` files that APT expects.

Replace `YOUR_KEY_ID` with the actual Key ID from the previous step.

```bash
#!/bin/bash
set -eux
NAME="$1"
GPG_KEY_ID="A1B2C3D4E5F6G7H8" # <-- REPLACE THIS
DEB_FILE="$NAME.deb"
REPO_ROOT="$NAME"
DISTRIBUTION="stable"
COMPONENT="main"
ARCHITECTURE="amd64"
POOL_DIR="${REPO_ROOT}/pool/${COMPONENT}"
DIST_DIR="${REPO_ROOT}/dists/${DISTRIBUTION}"
BINARY_DIR="${DIST_DIR}/${COMPONENT}/binary-${ARCHITECTURE}"

mkdir -p "${POOL_DIR}"
cp "${DEB_FILE}" "${POOL_DIR}/"

pushd "${REPO_ROOT}" > /dev/null

mkdir -p "${BINARY_DIR}"

apt-ftparchive packages "pool" > "${BINARY_DIR}/Packages"
gzip -9c "${BINARY_DIR}/Packages" > "${BINARY_DIR}/Packages.gz"

apt-ftparchive release "${DIST_DIR}" > "${DIST_DIR}/Release"

gpg --default-key "${GPG_KEY_ID}" -abs -o "${DIST_DIR}/Release.gpg" "${DIST_DIR}/Release"
gpg --default-key "${GPG_KEY_ID}" --clearsign -o "${DIST_DIR}/InRelease" "${DIST_DIR}/Release"

popd > /dev/null
```

Now, when you run this script, it will create the necessary signature files in your repository directory.

-----

### 3\. Make the Public Key Available

Export the public part of your GPG key so client machines can download and trust it.

1. Export the key to a file. Replace `YOUR_KEY_ID` with your Key ID.
```bash
gpg --armor --export YOUR_KEY_ID > public.key
```
2. Copy this `public.key` file to your web server so it's downloadable. A good location would be the root of your repository. For example: `http://repo.example.com/uctl-agent/public.key`.

-----

### 4\. Configure Client Hosts

On each machine that uses this repository, you need to download the public key and update the `sources.list` entry.

1. Download the public key and store it in the APT keyrings directory.

```bash
sudo mkdir -p /etc/apt/keyrings
curl -fsSL http://repo.example.com/uctl-agent/public.key | sudo gpg --dearmor -o /etc/apt/keyrings/uctl-agent.gpg
```

2. Modify your `/etc/apt/sources.list.d/uctl-agent.list` file to tell APT where to find the key for this specific repository using the `signed-by` option.

```
deb [arch=amd64 signed-by=/etc/apt/keyrings/uctl-agent.gpg] http://repo.example.com/uctl-agent/1.0/ubuntu stable main
```

3. Finally, run `apt update`. The error should now be gone.

```bash
sudo apt update
```

Repo debian - Revision history

Busk: Created page with "To resolve the "repository is not signed" error, you need to generate a GPG key, use it to sign your repository's `Release` file, and then add the public key to your host's tr..."