Monkeysphere/ Monkeysphere archive signing key
monkeysphere
Why? Download Documentation Develop News
  1. Verifying the key
  2. The key itself
  3. Management of the key
  4. Maintaining the archive

Verifying the key

The Monkeysphere apt repository is signed by this key, so you can verify that the packages come from the right place and have not been tampered with.

This key is certified by several of the Monkeysphere developers, and should be able to be found from the public keyservers with:

$ gpg --recv-key 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314
gpg: requesting key 0x18E667F1EB8AF314 from hkp server pool.sks-keyservers.net
gpg: key 0x18E667F1EB8AF314: public key "Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$

You should be able to verify the fingerprint like this:

$ gpg --list-key --fingerprint http://archive.monkeysphere.info/debian
pub   4096R/0x18E667F1EB8AF314 2008-09-02 [expires: 2013-03-04]
      Key fingerprint = 2E8D D26C 53F1 197D DF40  3E61 18E6 67F1 EB8A F314
uid       [  full  ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
$

And you can also verify the fingerprints with:

$ gpg --list-sigs http://archive.monkeysphere.info/debian

If you believe that the repository has been tampered with, please let us know!

If you have properly verified this key, you can add it to your apt keyring for proper cryptographic verification of the archive and its packages by doing the following:

 $ gpg -a --export 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314 | sudo apt-key add -
 OK
 $ aptitude update
 ...

The key itself

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQINBEi9Ws0BEADUROJtI2VsWGI6jklofbCDw6webGi0nJTnKYSSxDE5XSWu6GtK
PG4RiX/YGtL+kD8+z/pVAbjqdLNypqiK5VkTZp3cE+4Yv2jxySQJz/UMNZ2wO3U+
9NAK2rJG3p0HhiTzAurJ2KqNstcMcPmqEDtP+J2tUHoIXttGiwFpss4R2hSBMlg+
nNFc53FlTadF2z3LNNCozPf7wRST2Zqkeem84+Vo2X3zy7pGpSf9S/XEPW/ve0fs
daADK9I6fZiqtrsb3/M3E3rESsD2YA+/25QA+XVJgtenTlaYEMkI0ARpd44oBHp7
Oj0RbRZ0Wz6OYDiJl6D2YJ1nFRHhbx+tnCJvuqUUkv3HYD85mGWIow7ElX5fc4iT
RdYUE3ebImES0gsaasNl3JUjuImNbrqqjQsAaN7JV77TqR8GGRLcalZkvIgY5b4a
hRYY16rvUaqZ4aYpiZftvE0X07W+siYqGfCynOn0+iX80pKid8gATjrwGdQ6TBr7
+yrBkmFTJFCCi5TS8gaJPdMJzYs7C3ou9XOWJLuwmnwn9edaCSTJ1Vgq+8eKjDj8
NxER5vjtXdAJqCJm7d4eNgHYXTNqRPznJRsutVfkFwEIzGXvvhnnDC1PdnhBjBVI
1+TbdSz9qKq3VaCxr6HNk9CBF2S0El3YMRmy0Zlf6/AOo9XiW3fp3LL6AwARAQAB
tEpNb25rZXlzcGhlcmUgQXJjaGl2ZSBTaWduaW5nIEtleSAoaHR0cDovL2FyY2hp
dmUubW9ua2V5c3BoZXJlLmluZm8vZGViaWFuKYkCPAQTAQIAJgIbAwYLCQgHAwIE
FQIIAwQWAgMBAh4BAheABQJPU9ZlBQkId68UAAoJEBjmZ/HrivMUkE4P/RQGxcxN
xyBVKvw3xGv+CAaUfKxiA5Ma3/zgnHG5uc+hL28HlR3nl+DFySE0Ur6OVbkAG1M7
wT26NO0KI2kZQyJcYKMSZms3QORHHirHgvcOa4tzK+B8f0KRcCXgTJQwEmw9zqtF
gh7/Z4it6KalmxUZozlT6C6wvhN01Sdaaw1J+eewDW52Ej8hvB0Zi84JjUFBPgWX
fJODTsSxRwCMN9SQRsovpO9NAGQ1bCiANQauAP+xqN1P+4bpboh7HLToCKhKX7bn
u5JOa3T+BOMOVX7RJEFg2KunBtuGM1RVSyWlVfK5yMn61/Cew297PexDC6ro/lhV
2Mip5G74NkNjCQHWe9HycTNeXgYGxIrXpz9PFgbCMk0pgpbbPqlU5oMavkKV604V
D14WLtUcr6MzSXZJ4OazTGQKINhyKpmLv/SsOjF3pEdf5gTLtW0a0mMoZlWoix5b
Jb5k6u2aNxpq7J7DjGmuYvyZKgywCQxe6M8ym4ofBnWHNLUtC/ztfwsM5vOr9kQu
eQTt7/wSxvIxwklmxzhoKBTw1aq/ka3GfllEQbOrQx4EM6UYPNFO8lOAv4QXMwAG
v3wvE24uIXrueB+4LDuVb7qMNaWOiYaiiPyJnutp4UWiR6Y2/68/Zq8/lqQ4qpKX
X6Ou+pFdGcdEXbUVyKWq+0yEa6Jn2iFFzSUt
=A2h5
-----END PGP PUBLIC KEY BLOCK-----

Management of the key

The archive signing key is currently under the control of Daniel Kahn Gillmor, though the task of being the archive maintainer may be taken over by a different developer in the future.

In the event of a new archive maintainer, the entire archive will be rebuilt from signed tags in the monkeysphere git repository, rather than trying to re-verify the entire old archive.

Maintaining the archive

To create a new archive including a single monkeysphere package from tag $TAG on architecture $ARCH, do:

git clone git://git.monkeysphere.info/monkeysphere
cd monkeysphere
git tag -v "$TAG"
git checkout "$TAG"
debuild -uc -us
cd repo
reprepro -C monkeysphere include experimental "../$TAG_$ARCH.changes"

When you get a binary package built from a separate architecture $NEWARCH that you want to include with the archive, do:

cd repo
reprepro -C monkeysphere includedeb experimental "../$TAG_$NEWARCH.deb"

To publish the archive, make sure you have access to archivemaster@george.riseup.net, and then do:

cd repo
./publish