Verifying the key

The Monkeysphere apt repository is signed by this key, so you can verify that the packages come from the right place and have not been tampered with.

This key is certified by several of the Monkeysphere developers, and should be able to be found from the public keyservers with:

$ gpg --recv-key 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314
gpg: requesting key 0x18E667F1EB8AF314 from hkp server pool.sks-keyservers.net
gpg: key 0x18E667F1EB8AF314: public key "Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$

You should be able to verify the fingerprint like this:

$ gpg --list-key --fingerprint http://archive.monkeysphere.info/debian
pub   4096R/0x18E667F1EB8AF314 2008-09-02 [expires: 2013-03-04]
      Key fingerprint = 2E8D D26C 53F1 197D DF40  3E61 18E6 67F1 EB8A F314
uid       [  full  ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
$ 

And you can also verify the fingerprints with:

$ gpg --list-sigs http://archive.monkeysphere.info/debian

If you believe that the repository has been tampered with, please let us know!

If you have properly verified this key, you can add it to your apt keyring for proper cryptographic verification of the archive and its packages by doing the following:

 $ gpg -a --export 0x2E8DD26C53F1197DDF403E6118E667F1EB8AF314 | sudo apt-key add -
 OK
 $ aptitude update
 ...

The key itself

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEi9Ws0BEADUROJtI2VsWGI6jklofbCDw6webGi0nJTnKYSSxDE5XSWu6GtK
PG4RiX/YGtL+kD8+z/pVAbjqdLNypqiK5VkTZp3cE+4Yv2jxySQJz/UMNZ2wO3U+
9NAK2rJG3p0HhiTzAurJ2KqNstcMcPmqEDtP+J2tUHoIXttGiwFpss4R2hSBMlg+
nNFc53FlTadF2z3LNNCozPf7wRST2Zqkeem84+Vo2X3zy7pGpSf9S/XEPW/ve0fs
daADK9I6fZiqtrsb3/M3E3rESsD2YA+/25QA+XVJgtenTlaYEMkI0ARpd44oBHp7
Oj0RbRZ0Wz6OYDiJl6D2YJ1nFRHhbx+tnCJvuqUUkv3HYD85mGWIow7ElX5fc4iT
RdYUE3ebImES0gsaasNl3JUjuImNbrqqjQsAaN7JV77TqR8GGRLcalZkvIgY5b4a
hRYY16rvUaqZ4aYpiZftvE0X07W+siYqGfCynOn0+iX80pKid8gATjrwGdQ6TBr7
+yrBkmFTJFCCi5TS8gaJPdMJzYs7C3ou9XOWJLuwmnwn9edaCSTJ1Vgq+8eKjDj8
NxER5vjtXdAJqCJm7d4eNgHYXTNqRPznJRsutVfkFwEIzGXvvhnnDC1PdnhBjBVI
1+TbdSz9qKq3VaCxr6HNk9CBF2S0El3YMRmy0Zlf6/AOo9XiW3fp3LL6AwARAQAB
tEpNb25rZXlzcGhlcmUgQXJjaGl2ZSBTaWduaW5nIEtleSAoaHR0cDovL2FyY2hp
dmUubW9ua2V5c3BoZXJlLmluZm8vZGViaWFuKYkCUwQTAQoAPQIbAwYLCQgHAwIE
FQIIAwQWAgMBAh4BAheAFiEELo3SbFPxGX3fQD5hGOZn8euK8xQFAlpSpwkFCRVX
szwACgkQGOZn8euK8xQ9hw//YYyGvss7CafrYRKvIptCHu4zAl38Fx8D8mSoAZaK
zwLe7KAj1kfRDUap4eajriC7joR6jj80FZODTF0bii83x+/JeCGCzjrPN0Cuuxz6
1rSSa7Be76x+S9oyhnoAEgvglrUV6rXqdXKYpn6aKeHOtx8e9QM0arXy+PWjpQGu
cKD5OGU7JhQamOu2nJvSfmI+Jd0jBUyxUu5br4v9tEipUYW7YUMY1tIug1ee7UC+
wRm8eDSde0dNvn9mIz9C87kTSnOzbo0K6/PljTd4QJtIhe8QMGtcZJISCMsfclRu
LrExHrr7pe62RT9VVBnNMZZQo+cCzwFQOqD17DqKg9Kcf0RqBUduGlhkTIBHioXy
ON9pK6eZSqx6jwlpY0pXJevOJ/t94Pk6p38w5JfrkbA1DhBYAemTE6fuaMLFr2Ne
qngvFbxHxeDOVzRjXdFTjfvhLoLFU+fsTU51wH2oTyyL9cVI7sBrYe3n+dn4rJ4I
VhDQVg6TBOYBrlgE+aglvD6Ycr4G/fRv+1P/XslJ1km4LNDJoNAIDl0LTfcBTJBF
EGUcVtuXOLRxxTr/7Dp93GuCzZCjlYO12lVZ7RJn+omdQdi+VIj2Xe2eoWwOd8VO
t/rCR4pERYUYL0mT7MeZdiyjAtnBtf9FQaqetnphFDoPPMG9K1az6rgZtY9czG8H
Uf8=
=sGd5
-----END PGP PUBLIC KEY BLOCK-----

Management of the key

The archive signing key is currently under the control of Daniel Kahn Gillmor, though the task of being the archive maintainer may be taken over by a different developer in the future.

In the event of a new archive maintainer, the entire archive will be rebuilt from signed tags in the monkeysphere git repository, rather than trying to re-verify the entire old archive.

Maintaining the archive

To create a new archive including a single monkeysphere package from tag $TAG on architecture $ARCH, do:

git clone git://git.monkeysphere.info/monkeysphere
cd monkeysphere
git tag -v "$TAG"
git checkout "$TAG"
debuild -uc -us
cd repo
reprepro -C monkeysphere include experimental "../$TAG_$ARCH.changes"

When you get a binary package built from a separate architecture $NEWARCH that you want to include with the archive, do:

cd repo
reprepro -C monkeysphere includedeb experimental "../$TAG_$NEWARCH.deb"

To publish the archive, make sure you have access to archivemaster@george.riseup.net, and then do:

cd repo
./publish