Friday, May 9, 2008

Debmirror of ubuntu archive, with valid gpg keys

Getting debmirror to use the Ubuntu gpg signatures was harder than I expected. First I tried:
gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg


Which worked fine, but put the keys in ~/.gnupg/pubring.gpg and debmirror wants them in ~/.gnupg/trustedkeys.gpg, so I got this error:


Mirroring to /repo/ from http://us.archive.ubuntu.com/ubuntu/
Arches: i386
Dists: hardy
Sections: main,restricted,universe,multiverse
Will NOT clean up.
Pdiff mode: use.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Getting: dists/hardy/Release... ok
[0%] Getting: dists/hardy/Release.gpg... ok
gpgv: keyblock resource `/home/name/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Thu 24 Apr 2008 02:19:52 EDT using DSA key ID 437D05B5
[GNUPG:] ERRSIG 40976EAF437D05B5 17 2 00 1209017992 9
[GNUPG:] NO_PUBKEY 40976EAF437D05B5
gpgv: Can't check signature: public key not found
gpgv: keyblock resource `/home/name/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Thu 24 Apr 2008 02:19:52 EDT using DSA key ID 437D05B5
gpgv: Can't check signature: public key not found
Release signature does not verify.
Errors:
Release signature does not verify.
Failed to download some Release or Release.gpg files!
WARNING: releasing 1 pending lock...

The debmirror man page recommends this command to get them into trustedkeys.gpg, which works fine:

gpg --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --export \
| gpg --no-default-keyring --keyring trustedkeys.gpg --import

Then the debmirror command:

sudo debmirror --nosource --host=archive.ubuntu.com --method=http --root=ubuntu \
--dist=hardy --section=main,restricted,universe,multiverse --arch=i386 \
--progress --nocleanup --ignore-small-errors -v /repo/

1 comment:

Unknown said...

Thanks! I couldn't get my mirror to update my personal Debian mirror after I upgraded my server to Ubuntu 11.04 (Yes, I know I'm running Debian clients and an Ubuntu server, it's not the way I want it, but I don't want to reconfigure email on a new OS install).