Add a Release file to package and sign

[tobyweston]

See #83 (and #70 whilst you're there)

[tobyweston]

See sbt/sbt-native-packager#1129 for a summary of if the sbt native packager could help. Unfortunately not 😢 but thanks to @muuki88 for the packager and stay awesome! 👍

[tobyweston]

See:

• man page https://manpages.debian.org/stretch/apt/apt-secure.8.en.html
• repository format https://wiki.debian.org/DebianRepository/Format#A.22Release.22_files

Possible steps:

1. create the archive
2. sign it
3. publish key (using debian-archive-keyring?)

# create release file
apt-ftparchive release

# sign it
gpg --clearsign -o InRelease Release 
gpg -abs -o Release.gpg Release

# publish it
???

Links:

• Random (maybe old) mailing list archive https://lists.debian.org/debian-mentors/2006/04/msg00294.html
• How to generate the Release file on a local package repository? on SO
• Good Medium article

[tobyweston]

Using aptly, I've managed to create the following repo structure. It's very different than the hand rolled version but switching the sources.list on a Pi with TM already installed, seems to work fine.

├── dists
    │   └── stable                          <- distribution
    │       ├── Contents-armhf.gz
    │       ├── InRelease
    │       ├── Release
    │       ├── Release.gpg
    │       └── temperature-machine         <- component (defaults to main)
    │           ├── Contents-armhf.gz       
    │           └── binary-armhf            <- architecture
    │               ├── Packages
    │               ├── Packages.bz2
    │               ├── Packages.gz
    │               └── Release
    └── pool
        └── temperature-machine
            └── t
                └── temperature-machine
                    ├── temperature-machine_2.1_all.deb
                    └── temperature-machine_2.2_all.deb

aptly would replace the existing dpkg-scanpackages mechanism and signs everything as well as create additional files like the InRelease file.

User's would have to change the entry in sources.list to the following.

deb http://robotooling.com/debian/ stable temperature-machine

and manually import my key (which on the Pi, requires sudo)

sudo apt-key adv --keyserver pool.sks-keyservers.net --recv-keys 00258F48226612AE

Still a few more things to figure out and to write up but I think this is the way I'll go.