SHA1 keys are no longer recommended so I went through the process of generating a new set of keys for use on the apt server. Here's how I did it (followed this).
- apt install gpgv2 package. Xenial installs v1 by default. Not sure if v2 is required, strictly-speaking.
- Generating keys requires a quantity of entropy which can be hard to generate on a CLI system. I apt installed the pkgs rng-tools and haveged, then ran '
sudo rngd -r /dev/urandom -W 4096' which generates enough entropy for a build. You can check the available entropy by running '
- Create key with '
sudo gpg2 --full-gen-key'. Answer questions. No need to add a comment. Do set an unlock password, though.
- Result is a barf of info including a line like 'gpg: key 3GD4831G marked as ultimately trusted'. You'll ref 3GD4831G in reprepro on the SignWith line.
- Export an armoured public key with '
sudo gpg2 --armor --output my_public_key.asc --export 3GD4831G'. Note that the command is gpg2 and that the key has an 'asc' suffix. I have reason to believe that armoured keys that do not use either a gpg or asc suffix will eventually be ignored on import.