GPG signing built-in Debian .deb package Registry

Install/Maintain/Configure

ausserirdischegesund December 11, 2023, 12:16pm 1

Hi everybody, first post here:

I want to use the built in .deb repository function, and uploading my first .deb worked just fine.

But: Is there a way to GPG sign the Debian registry/repository, so I don’t get this warning everytime:

root@pi:~# apt update
Get:1 https://redacted.at/api/packages/ralph/debian bookworm InRelease [1,922 B]
Hit:2 http://ftp.debian.org/debian bookworm InRelease      
Err:1 https://redacted.at/api/packages/ralph/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E40426EAA2ECD3C9
Reading package lists... Done
W: GPG error: https://redacted.at/api/packages/ralph/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E40426EAA2ECD3C9
E: The repository 'https://redacted.at/api/packages/ralph/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

TIA Ralph

1 Like

jake December 11, 2023, 6:53pm 2

How are you uploading .deb package? Is it just over API or via actions? If actions, can you show script used to generate .deb?

ausserirdischegesund December 12, 2023, 12:31pm 3

Thanks, Jake for your reply. I uploaded the package via HTTP put according to
this:

docs.gitea.com

Debian Package Registry | Gitea Documentation

Publish Debian packages for your user or organization.

What I did not realize was, that the Debian package repository/registry has UI in the webinterface, and that there are instructions in this web interface how to add the repository keys. It works fine for me now, after I have found this interface to the registry.

Thanks,
Ralph

2 Likes

retif October 20, 2025, 9:17am 4

https://docs.gitea.com/next/usage/packages/packages/debian

That link leads to 404 now, and the one that seems to be a “live” variant of the previous - https://docs.gitea.com/usage/packages/debian - does not contain instructions for uploading one’s own PGP key to be used for signing packages. And by default the Debian packages registry uses some auto-generated(?) key, as it seems.

The Gitea’s web GUI also does not provide instructions for setting a custom PGP key for signing .deb packages.

It may already be documented somewhere, but unfortunately I couldn’t find it. Can someone please point me to the right place? I’d be totally fine with not having it in the GUI, a bare cURL upload of the .asc is no problem for me, but I just don’t know what is the uploading route/URL (if there is one at all).

retif October 31, 2025, 10:27am 5

Found this GetOrCreateKeyPair() function in the sources, which seems to first checking for an existing key before generating a new one:

func GetOrCreateKeyPair(ctx context.Context, ownerID int64) (string, string, error) {
    priv, err := user_model.GetSetting(ctx, ownerID, debian_module.SettingKeyPrivate)
    // ...

but I couldn’t figure out where this GetSetting() is looking for a key, so I could provide my own before the first ever key-pair generation or so I could replace the already existing key-pair with mine.

Related topics

Topic		Replies	Views	Activity
Debian repository Install/Maintain/Configure	5	483	May 11, 2026
Unable to use GPG Install/Maintain/Configure	0	1069	July 31, 2022
Gitea 1.12 GPG Commit Signatures from Gitea Install/Maintain/Configure	0	1087	June 19, 2020
Trouble using RPM Package Registry Gitea Usages	0	216	June 24, 2024
Trouble signing commits with SSH keys Install/Maintain/Configure	1	3089	March 16, 2023