Since we introduced PPAs, we’ve had a number of requests for signed packages in archives. Up until now, when installing a package from a PPA Ubuntu has warned that it is unsigned.
So, if you want to sign packages in a PPA, what do you sign them with? We dismissed two of the most obvious ideas:
- signing with the author’s own key, as that’d mean either Launchpad storing their private key or doing away with the build part of PPAs and asking authors to upload binaries
- signing with one key for all PPAs, which is a bit meaningless.
Instead, starting this week we’re generating a unique key for each archive and then signing each build made from the time of the key’s creation. As someone downloading from a PPA, you can easily check the fingerprint on its overview page in Launchpad to ensure you’re getting what you expect.
It’ll take a while to generate all the keys; check your PPA overview page to see if your key is ready yet. In the mean time, some PPAs will have keys and others will continue to generate warnings about unsigned packages.
We’ll post more details in the new year.