Supporting multiple keys for signing repositories

[lazyfrosch]

With the plan of transition keys with a repository I wondered if we can support this in aptly.

Detailed Description

Debian signs its repositories with multiple keys, using multiple generations of keys over each release.

It might be wise to support this in aptly. Mainly for changing keys without breaking users right away.

Sources:

• Multiple signatures with GnuPG
• Unfortunatly no documenation on this in RepositoryFormat of Debian

Context

• Security and GPG Key Exchange
• Best usability for users without forcing a hard change

Possible Implementation

While configuration would be easy (just setting multiple key IDs), it might be tricky to do with gnupg2.

I haven't done much testing yet, but had a look on the Debian repositories.

[RadxaYuntian]

Unfortunately this is still a problem. We "naively" used the default 2-year lifetime for our signing key, instead of Debian's 8-year or Proxmox's 10-year, and now we are facing keyring migration issue.

Right now, we have to manually sign the Release file by passing -skip-signing to aptly publish repo, then run following commands:

GPG_PARAMETERS=(
	"--yes"
	"--armor"
	"-u" "72AF2B5F7B24A8FFE4F41AC4E572249A33EB9743"
	"-u" "EF181314AFE1834694A34CC65D93177D0752732A"
)

for i in "$HOME"/.aptly/public/*/dists/*/Release
do
	DISTRO_PATH="$(dirname "$i")"
	gpg "${GPG_PARAMETERS[@]}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
	gpg "${GPG_PARAMETERS[@]}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
done