Quick Version
I have set up a private deb repository and copied some signed deb packages into it. I have installed the signing key locally. However when I try to install from the repo I get this warning:
WARNING: The following packages cannot be authenticated!
When installing manually, I can just press y but I want to install these packages automatically using puppet, and that fails.
So what's the problem? Do I need to resign packages with a key I control? Is there a better way of ensuring I have a particular version of puppet installed?
More Details
I have got the packages from the puppet debian repository - http://apt.puppetlabs.com/ I just copy the package from (for lucid) this directory
The repository is then updated with a script that runs these commands for each repo:
cd /var/www/html/apt/ubuntu/lucid
dpkg-scanpackages binary /dev/null | gzip -9c > binary/Packages.gz
dpkg-scansources sources /dev/null | gzip -9c > sources/Sources.gz
I have installed the signing key on the client.
$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
...
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
uid Puppet Labs Release Key (Puppet Labs Release Key) <[email protected]>
...
The rationale for doing this is that I want all puppet clients to be the same version. So all machines should get the packages from my repository by using the following pin in /etc/apt/preferences.d/puppet:
Package: puppet puppet-common facter
Pin: origin deb.example.org
Pin-Priority: 1001
(We are currently using puppet 2.6.x, so I need a priority of 1001 to downgrade precise clients from 2.7.x).
I have read about holding packages but that doesn't help me change package versions.
All suggestions welcome.
Are you sure the packages are signed? I'm not sure, but I guess there should be appropriate signature files. We are signing our whole repositories, so there is only one signature for the whole tree, and we let reprepro do this for us.