How to Properly Sign Modified Debian Packages Using Your Own GPG Key


1 views

When you modify and rebuild Debian packages, you'll encounter GPG signing issues like this output shows:

gpg: skipped "Faidon Liambotis ": secret key not available
gpg: [stdin]: clearsign failed: secret key not available
dpkg-buildpackage: warning: Failed to sign .dsc and .changes file

While not strictly required for local installation, signing packages provides:

  • Verification of package authenticity
  • Tamper-proofing for distribution
  • Compatibility with secure APT repositories

First, ensure you have a GPG key pair:

gpg --full-generate-key
# Select RSA (1) and 4096 bits
# Set expiration (0 for no expiration)
# Enter your details

Then configure dpkg-buildpackage to use your key:

echo "DEBSIGN_KEYID=your_key_id" >> ~/.devscripts
# Or for one-time use:
dpkg-buildpackage -kyour_key_id

Here's the full workflow with proper signing:

apt-get source nginx
cd nginx-0.7.67
# Make your modifications to debian/rules
debuild -kyour_key_id -S -us -uc  # For source package
debuild -kyour_key_id -b -us -uc   # For binary package

If you get "secret key not available" errors:

# List your available keys:
gpg --list-secret-keys

# Export and import if needed:
gpg --export-secret-keys your_key_id > private.key
gpg --import private.key

For version number warnings, modify debian/changelog with dch -i to create a new version like:
nginx (0.7.67-3~bpo50+1+custom1)

For frequent rebuilding, create a build script:

#!/bin/bash
export DEBSIGN_KEYID=your_key_id
apt-get source $1
cd $(ls -d */ | head -n 1)
dch -l "+custom" "Custom build"
dpkg-buildpackage -rfakeroot -us -uc -b

When modifying and rebuilding Debian packages, you'll encounter signing requirements. The key error occurs because dpkg-buildpackage attempts to use the original maintainer's key (Faidon Liambotis in your case) rather than your own GPG key for signing.

First, ensure you have a proper GPG key setup:

# Generate a new GPG key if needed
gpg --full-generate-key
# Select RSA (1), 4096 bits, and set appropriate expiration
# List your available keys
gpg --list-secret-keys --keyid-format LONG

Modify your build environment to use your key:

# Set your key ID in ~/.devscripts
echo "DEBSIGN_KEYID=YOUR_KEY_ID" >> ~/.devscripts
# Alternative command-line approach
dpkg-buildpackage -kYOUR_KEY_ID

For your specific nginx case:

# Clean previous build artifacts
debian/rules clean
# Build with explicit key specification
dpkg-buildpackage -kYOUR_KEY_ID --build=binary

The warning about version numbering suggests your build is using an older version string than what exists in the repository. Consider updating the version in debian/changelog:

dch -i
# Change version to something like 0.7.67-3~bpo50+1+custom1

For frequent rebuilders, create signing profiles in ~/.gnupg/gpg.conf:

default-key YOUR_PRIMARY_KEY
keyring /path/to/additional/keys.gpg

If you still encounter problems:

  • Verify GPG agent is running: gpg-connect-agent /bye
  • Check key permissions: gpg --edit-key YOUR_KEY_ID then trust
  • Ensure secring.gpg contains your private key