Verifying the key

The Monkeysphere apt repository is signed by this key, so you can verify that the packages come from the right place and have not been tampered with.

This key is certified by several of the Monkeysphere developers, and should be able to be found from the public keyservers with:

$ gpg --recv-key 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314
gpg: requesting key 0x18E667F1EB8AF314 from hkp server pool.sks-keyservers.net
gpg: key 0x18E667F1EB8AF314: public key "Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$

You should be able to verify the fingerprint like this:

$ gpg --list-key --fingerprint http://archive.monkeysphere.info/debian
pub   4096R/0x18E667F1EB8AF314 2008-09-02 [expires: 2013-03-04]
      Key fingerprint = 2E8D D26C 53F1 197D DF40  3E61 18E6 67F1 EB8A F314
uid       [  full  ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
$ 

And you can also verify the fingerprints with:

$ gpg --list-sigs http://archive.monkeysphere.info/debian

If you believe that the repository has been tampered with, please let us know!

If you have properly verified this key, you can add it to your apt keyring for proper cryptographic verification of the archive and its packages by doing the following:

 $ gpg -a --export 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314 | sudo apt-key add -
 OK
 $ aptitude update
 ...

The key itself

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBEi9Ws0BEADUROJtI2VsWGI6jklofbCDw6webGi0nJTnKYSSxDE5XSWu6GtK
PG4RiX/YGtL+kD8+z/pVAbjqdLNypqiK5VkTZp3cE+4Yv2jxySQJz/UMNZ2wO3U+
9NAK2rJG3p0HhiTzAurJ2KqNstcMcPmqEDtP+J2tUHoIXttGiwFpss4R2hSBMlg+
nNFc53FlTadF2z3LNNCozPf7wRST2Zqkeem84+Vo2X3zy7pGpSf9S/XEPW/ve0fs
daADK9I6fZiqtrsb3/M3E3rESsD2YA+/25QA+XVJgtenTlaYEMkI0ARpd44oBHp7
Oj0RbRZ0Wz6OYDiJl6D2YJ1nFRHhbx+tnCJvuqUUkv3HYD85mGWIow7ElX5fc4iT
RdYUE3ebImES0gsaasNl3JUjuImNbrqqjQsAaN7JV77TqR8GGRLcalZkvIgY5b4a
hRYY16rvUaqZ4aYpiZftvE0X07W+siYqGfCynOn0+iX80pKid8gATjrwGdQ6TBr7
+yrBkmFTJFCCi5TS8gaJPdMJzYs7C3ou9XOWJLuwmnwn9edaCSTJ1Vgq+8eKjDj8
NxER5vjtXdAJqCJm7d4eNgHYXTNqRPznJRsutVfkFwEIzGXvvhnnDC1PdnhBjBVI
1+TbdSz9qKq3VaCxr6HNk9CBF2S0El3YMRmy0Zlf6/AOo9XiW3fp3LL6AwARAQAB
tEpNb25rZXlzcGhlcmUgQXJjaGl2ZSBTaWduaW5nIEtleSAoaHR0cDovL2FyY2hp
dmUubW9ua2V5c3BoZXJlLmluZm8vZGViaWFuKYkCPAQTAQoAJgIbAwYLCQgHAwIE
FQIIAwQWAgMBAh4BAheABQJXZIdOBQkQiGABAAoJEBjmZ/HrivMUC5AQAIXHMcSi
cBeJuAeutf4dCQpWmUXAX6AEHmqItGEnLZDVVtT/h81O498qRq4t+NwP614Ouoft
fFMO/SK19oYALslUezo5z8UW3kVSR1sUdV7TmFNsg074JormHZEBPYogj+qvApwf
0oGX6aYorEWNJNoQQfI1AdTByC3o+Lh3wl38+GhAiUlQy8HuLUrIykshaZm8jbPq
x7hm5iX4vC68lGSAn7kQ9PQMXvGtofB3FN6nP8PRvG/qiZ1chbmPBp+NupcAydBJ
OFqfPCTBJHJ3c1cVSzJUV/HUPjq0vDvL9pLlzBOXrEQOK8YuMWLLHMobogxrs+Ei
3CGadwj5pJOs/qj+hYUBuiA+/98Ap4/9NJWOSSpLgvAxpcA9j52SbrYL8pTIi0UH
9v0hf5o5iAnit6ahCV9f73Kf/VCKVXyadjW+Cc8VCqD4A2lJSEjx2HXRRLxZ+8Uq
ZdePjuovuYDMQ+B++hGQfdjVzo+cX+bHmdznpqNRqVF04QPoV+ClITgcoBxsVDP7
lJFtPISPt6U0EFOHR3/qPOKLnndw+J60FzlSYnUVY7OlUUCBMYR1oSkhxxgRTRVC
FQmP4LFLwRXoUAn3x99BpKTRLw65XY2FSyR90mKjwyMqk2XzujJCY8jh7Qe0/Ilr
CImkcq52U9cgMvnftaB5LXExG5sqLJYtQ9ek
=WtSr
-----END PGP PUBLIC KEY BLOCK-----

Management of the key

The archive signing key is currently under the control of Daniel Kahn Gillmor, though the task of being the archive maintainer may be taken over by a different developer in the future.

In the event of a new archive maintainer, the entire archive will be rebuilt from signed tags in the monkeysphere git repository, rather than trying to re-verify the entire old archive.

Maintaining the archive

To create a new archive including a single monkeysphere package from tag $TAG on architecture $ARCH, do:

git clone git://git.monkeysphere.info/monkeysphere
cd monkeysphere
git tag -v "$TAG"
git checkout "$TAG"
debuild -uc -us
cd repo
reprepro -C monkeysphere include experimental "../$TAG_$ARCH.changes"

When you get a binary package built from a separate architecture $NEWARCH that you want to include with the archive, do:

cd repo
reprepro -C monkeysphere includedeb experimental "../$TAG_$NEWARCH.deb"

To publish the archive, make sure you have access to archivemaster@george.riseup.net, and then do:

cd repo
./publish