root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --full-generate-key
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Ray Burgemeestre
Email address: ray@cppse.nl
Comment: 
You selected this USER-ID:
    "Ray Burgemeestre <ray@cppse.nl>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 234F14AB5CE16B7B marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/D16D83CA3E4397DEB2462A3B234F14AB5CE16B7B.rev'
public and secret key created and signed.

pub   rsa4096 2019-12-27 [SC]
      D16D83CA3E4397DEB2462A3B234F14AB5CE16B7B
uid                      Ray Burgemeestre <ray@cppse.nl>
sub   rsa4096 2019-12-27 [E]

root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# 

---

had to invoke this to get the key ids again:
--


root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --keyid-format SHORT -k
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096/5CE16B7B 2019-12-27 [SC]
      D16D83CA3E4397DEB2462A3B234F14AB5CE16B7B
uid         [ultimate] Ray Burgemeestre <ray@cppse.nl>
sub   rsa4096/43C5B68C 2019-12-27 [E]

--- mapping from blog post ---

theirs 10E6133F  is ours: 5CE16B7B
theirs 7B34E07C  is ours: 43C5B68C

---

root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --edit-key 5CE16B7B
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/234F14AB5CE16B7B
     created: 2019-12-27  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/DD5B61D243C5B68C
     created: 2019-12-27  expires: never       usage: E   
[ultimate] (1). Ray Burgemeestre <ray@cppse.nl>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/234F14AB5CE16B7B
     created: 2019-12-27  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/DD5B61D243C5B68C
     created: 2019-12-27  expires: never       usage: E   
ssb  rsa4096/C91687F126512AB8
     created: 2019-12-27  expires: never       usage: S   
[ultimate] (1). Ray Burgemeestre <ray@cppse.nl>

gpg> save

---

get ID again:

root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --keyid-format SHORT -k
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096/5CE16B7B 2019-12-27 [SC]
      D16D83CA3E4397DEB2462A3B234F14AB5CE16B7B
uid         [ultimate] Ray Burgemeestre <ray@cppse.nl>
sub   rsa4096/43C5B68C 2019-12-27 [E]
sub   rsa4096/26512AB8 2019-12-27 [S]


---

theirs 10E6133F  is ours: 5CE16B7B
theirs 7B34E07C  is ours: 43C5B68C
theirs A72DB3EF  is ours: 26512AB8

---

mkdir keys
gpg --export-secret-key 5CE16B7B > keys/private.key
gpg --export 5CE16B7B >> keys/private.key


gpg --export 5CE16B7B > keys/public.key
gpg --export-secret-subkeys 26512AB8 > keys/signing.key


-- ignored: #back up the private.key file before running this# rm private.key

# not ignored: 

gpg --delete-secret-key 5CE16B7B

root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --delete-secret-key 5CE16B7B
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa4096/234F14AB5CE16B7B 2019-12-27 Ray Burgemeestre <ray@cppse.nl>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --import keys/public.key keys/signing.key
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg: key 234F14AB5CE16B7B: "Ray Burgemeestre <ray@cppse.nl>" not changed
gpg: key 234F14AB5CE16B7B: "Ray Burgemeestre <ray@cppse.nl>" not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 234F14AB5CE16B7B: secret key imported
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
root@209899561fe9:/home/trigen/projects/build-config/apt-publisher# gpg --keyid-format SHORT -k
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096/5CE16B7B 2019-12-27 [SC]
      D16D83CA3E4397DEB2462A3B234F14AB5CE16B7B
uid         [ultimate] Ray Burgemeestre <ray@cppse.nl>
sub   rsa4096/43C5B68C 2019-12-27 [E]
sub   rsa4096/26512AB8 2019-12-27 [S]


# ignored: rm public.key signing.key

gpg --keyserver keyserver.ubuntu.com --send-key 5CE16B7B

# ok done :-)

---

moment of truth:

root@b1e2708c4531:/home/trigen/projects/build-config/apt-publisher# reprepro -b /repo includedeb bionic packages/*.deb
Exporting indices...


; reprepro -b /repo list bionic