docs: document the proper (GPG-verified, deb822) apt setup
tests / core (pull_request) Successful in 13s
tests / gui-smoke (pull_request) Successful in 27s

Replace the trusted=yes apt instructions with the proper method: read:package
token, registry signing key dearmored into /etc/apt/keyrings, credentials in
auth.conf.d, and a modern deb822 .sources file with Signed-By + Architectures:
all. Keeps the trusted=yes one-liner as a noted fallback for unsigned registries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-22 15:44:41 +02:00
parent ee73049248
commit 21cc6a4813
+26 -9
View File
@@ -41,22 +41,39 @@ apt pulls the GUI dependencies (PySide6, pyte) automatically:
sudo apt install ./rigdoctor_*_all.deb # CLI only: add --no-install-recommends
```
**Or add the apt repository** for `apt install` + automatic updates:
**Or add the apt repository** for `apt install` + automatic updates. The registry is private and
GPG-signed, so you need a Gitea token with **`read:package`**, the signing key, and the deb822
source (`read -rsp` keeps the token out of your shell history):
```bash
# the registry is private, so give apt a token (a Gitea PAT with read:package)
echo "machine git.jesseyvanofferen.com login <user> password <token>" \
| sudo tee /etc/apt/auth.conf.d/rigdoctor.conf
sudo chmod 600 /etc/apt/auth.conf.d/rigdoctor.conf
read -rsp 'Gitea read:package token: ' TOKEN; echo
echo "deb [trusted=yes] https://git.jesseyvanofferen.com/api/packages/jessey/debian stable main" \
| sudo tee /etc/apt/sources.list.d/rigdoctor.list
# signing key → dearmored into the keyring (the key endpoint requires the token too)
sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL --user <user>:"$TOKEN" \
https://git.jesseyvanofferen.com/api/packages/jessey/debian/repository.key \
| sudo gpg --dearmor -o /etc/apt/keyrings/gitea-jessey.gpg
# download credentials, kept out of the sources file
printf 'machine git.jesseyvanofferen.com login <user> password %s\n' "$TOKEN" \
| sudo tee /etc/apt/auth.conf.d/rigdoctor.conf >/dev/null
sudo chmod 0600 /etc/apt/auth.conf.d/rigdoctor.conf
# the source (modern deb822 format, GPG-verified, all-arch)
sudo tee /etc/apt/sources.list.d/rigdoctor.sources >/dev/null <<'EOF'
Types: deb
URIs: https://git.jesseyvanofferen.com/api/packages/jessey/debian
Suites: stable
Components: main
Architectures: all
Signed-By: /etc/apt/keyrings/gitea-jessey.gpg
EOF
sudo apt update && sudo apt install rigdoctor
```
Then `sudo apt upgrade` keeps it current. *(If your server serves a signed registry, drop the
`auth.conf.d` file and replace `[trusted=yes]` with `[signed-by=…]` + the `repository.key`.)*
Then `sudo apt upgrade` keeps it current. *(Quick-and-dirty alternative if the registry isn't
signed: skip the key and use a one-line `deb [arch=all trusted=yes] …/debian stable main` source.)*
### Any distro — self-extracting `.run` (no root)