Aptly at this time only supports GNUPG 1.x for server-side use.
On newer Debian systems you’ll want to make sure that the
gpgv1 packages are installed.
Please note that GNUPG 1 and 2 maintain different keyrings, in order for keys to
be available to Aptly they need to be in the GNUPG 1 keyring.
Since version 1.1.0
, Aptly supports pluggable validation/signing providers.
gpg provider calls the actual gpg binary as a subprocess.
internal provider relies on a Go native OpenPGP implementation.
With any PGP provider, aptly is using same keyrings both for signing and signature validation,
so providers can be easily switched. Signing/validation options apply the same way for both provider
gpg provider and
internal OpenPGP implementation:
internalimplementation doesn’t require
gpgto be installed (but
gpgis still required to manage keyrings)
internalimplementation has better handling for batch operations (passing passphrase using command-line arguments)
gpgprovides additional measures to lock sensitive information in memory
gpghas more features, support for external authentication methods and so on
internalimplementation opens keyring only once, so it asks for passphrase once per aptly run, not every time file is signed (which is the case for
gpgimplementation might have issue with GnuPG 2.1 (it works fine with 1.x version)
internalimplementation only supports “classic” format of keyrings
PGP provider could be configured via flags (
-gpg-provider=[gpg|internal]) or via
gpgProvider configuration setting.