aptly-dev · LebedevRI · Dec 29, 2025
diff --git a/AUTHORS b/AUTHORS
@@ -77,3 +77,4 @@ List of contributors, in chronological order:
 * Yaksh Bariya (https://github.com/thunder-coding)
 * Juan Calderon-Perez (https://github.com/gaby)
 * Ato Araki (https://github.com/atotto)
+* Roman Lebedev (https://github.com/LebedevRI)
diff --git a/api/publish.go b/api/publish.go
@@ -168,6 +168,8 @@ type publishedRepoCreateParams struct {
 	SkipBz2 *bool `                               json:"SkipBz2"               example:"false"`
 	// Provide index files by hash
 	AcquireByHash *bool `                         json:"AcquireByHash"         example:"false"`
+	// An optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file.
+	SignedBy *string `                            json:"SignedBy"              example:""`
 	// Enable multiple packages with the same filename in different distributions
 	MultiDist *bool `                             json:"MultiDist"             example:"false"`
 }
@@ -341,6 +343,10 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
 			published.AcquireByHash = *b.AcquireByHash
 		}
 
+		if b.SignedBy != nil {
+			published.SignedBy = *b.SignedBy
+		}
+
 		duplicate := collection.CheckDuplicate(published)
 		if duplicate != nil {
 			_ = collectionFactory.PublishedRepoCollection().LoadComplete(duplicate, collectionFactory)
@@ -376,6 +382,8 @@ type publishedRepoUpdateSwitchParams struct {
 	Snapshots []sourceParams `                    json:"Snapshots"`
 	// Provide index files by hash
 	AcquireByHash *bool `                         json:"AcquireByHash"  example:"false"`
+	// An optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file
+	SignedBy *string `                            json:"SignedBy"  example:""`
 	// Enable multiple packages with the same filename in different distributions
 	MultiDist *bool `                             json:"MultiDist"      example:"false"`
 }
@@ -461,6 +469,10 @@ func apiPublishUpdateSwitch(c *gin.Context) {
 		published.AcquireByHash = *b.AcquireByHash
 	}
 
+	if b.SignedBy != nil {
+		published.SignedBy = *b.SignedBy
+	}
+
 	if b.MultiDist != nil {
 		published.MultiDist = *b.MultiDist
 	}
@@ -954,6 +966,8 @@ type publishedRepoUpdateParams struct {
 	SkipCleanup *bool `                           json:"SkipCleanup"     example:"false"`
 	// Provide index files by hash
 	AcquireByHash *bool `                         json:"AcquireByHash"   example:"false"`
+	// An optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file
+	SignedBy *string `                            json:"SignedBy"   example:""`
 	// Enable multiple packages with the same filename in different distributions
 	MultiDist *bool `                             json:"MultiDist"       example:"false"`
 }
@@ -1020,6 +1034,10 @@ func apiPublishUpdate(c *gin.Context) {
 		published.AcquireByHash = *b.AcquireByHash
 	}
 
+	if b.SignedBy != nil {
+		published.SignedBy = *b.SignedBy
+	}
+
 	if b.MultiDist != nil {
 		published.MultiDist = *b.MultiDist
 	}

diff --git a/cmd/publish_repo.go b/cmd/publish_repo.go
@@ -51,6 +51,7 @@ Example:
 	cmd.Flag.String("codename", "", "codename to publish (defaults to distribution)")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")
 	cmd.Flag.Bool("acquire-by-hash", false, "provide index files by hash")
+	cmd.Flag.String("signed-by", "", "an optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file")
 	cmd.Flag.Bool("multi-dist", false, "enable multiple packages with the same filename in different distributions")
 
 	return cmd

diff --git a/cmd/publish_snapshot.go b/cmd/publish_snapshot.go
@@ -150,6 +150,10 @@ func aptlyPublishSnapshotOrRepo(cmd *commander.Command, args []string) error {
 		published.AcquireByHash = context.Flags().Lookup("acquire-by-hash").Value.Get().(bool)
 	}
 
+	if context.Flags().IsSet("signed-by") {
+		published.SignedBy = context.Flags().Lookup("signed-by").Value.String()
+	}
+
 	if context.Flags().IsSet("multi-dist") {
 		published.MultiDist = context.Flags().Lookup("multi-dist").Value.Get().(bool)
 	}
@@ -247,6 +251,7 @@ Example:
 	cmd.Flag.String("codename", "", "codename to publish (defaults to distribution)")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")
 	cmd.Flag.Bool("acquire-by-hash", false, "provide index files by hash")
+	cmd.Flag.String("signed-by", "", "an optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file")
 	cmd.Flag.Bool("multi-dist", false, "enable multiple packages with the same filename in different distributions")
 
 	return cmd

diff --git a/cmd/publish_switch.go b/cmd/publish_switch.go
@@ -99,6 +99,10 @@ func aptlyPublishSwitch(cmd *commander.Command, args []string) error {
 		published.SkipBz2 = context.Flags().Lookup("skip-bz2").Value.Get().(bool)
 	}
 
+	if context.Flags().IsSet("signed-by") {
+		published.SignedBy = context.Flags().Lookup("signed-by").Value.String()
+	}
+
 	if context.Flags().IsSet("multi-dist") {
 		published.MultiDist = context.Flags().Lookup("multi-dist").Value.Get().(bool)
 	}
@@ -162,6 +166,7 @@ This command would switch published repository (with one component) named ppa/wh
 	cmd.Flag.Bool("skip-bz2", false, "don't generate bzipped indexes")
 	cmd.Flag.String("component", "", "component names to update (for multi-component publishing, separate components with commas)")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")
+	cmd.Flag.String("signed-by", "", "an optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file")
 	cmd.Flag.Bool("skip-cleanup", false, "don't remove unreferenced files in prefix/component")
 	cmd.Flag.Bool("multi-dist", false, "enable multiple packages with the same filename in different distributions")
 

diff --git a/cmd/publish_update.go b/cmd/publish_update.go
@@ -60,6 +60,10 @@ func aptlyPublishUpdate(cmd *commander.Command, args []string) error {
 		published.SkipBz2 = context.Flags().Lookup("skip-bz2").Value.Get().(bool)
 	}
 
+	if context.Flags().IsSet("signed-by") {
+		published.SignedBy = context.Flags().Lookup("signed-by").Value.String()
+	}
+
 	if context.Flags().IsSet("multi-dist") {
 		published.MultiDist = context.Flags().Lookup("multi-dist").Value.Get().(bool)
 	}
@@ -125,6 +129,7 @@ Example:
 	cmd.Flag.Bool("skip-contents", false, "don't generate Contents indexes")
 	cmd.Flag.Bool("skip-bz2", false, "don't generate bzipped indexes")
 	cmd.Flag.Bool("force-overwrite", false, "overwrite files in package pool in case of mismatch")
+	cmd.Flag.String("signed-by", "", "an optional field containing a comma separated list of OpenPGP key fingerprints to be used for validating the next Release file")
 	cmd.Flag.Bool("skip-cleanup", false, "don't remove unreferenced files in prefix/component")
 	cmd.Flag.Bool("multi-dist", false, "enable multiple packages with the same filename in different distributions")
 

diff --git a/deb/format.go b/deb/format.go
@@ -26,8 +26,11 @@ var (
 		"Version",
 		"Codename",
 		"Date",
+		"Valid-Until",
 		"NotAutomatic",
 		"ButAutomaticUpgrades",
+		"Acquire-By-Hash",
+		"Signed-By",
 		"Architectures",
 		"Architecture",
 		"Components",

diff --git a/deb/publish.go b/deb/publish.go
@@ -81,6 +81,11 @@ type PublishedRepo struct {
 	// Provide index files per hash also
 	AcquireByHash bool
 
+	// An optional field containing a comma separated list
+	// of OpenPGP key fingerprints to be used
+	// for validating the next Release file
+	SignedBy string
+
 	// Support multiple distributions
 	MultiDist bool
 
@@ -529,6 +534,7 @@ func (p *PublishedRepo) MarshalJSON() ([]byte, error) {
 		"Storage":              p.Storage,
 		"SkipContents":         p.SkipContents,
 		"AcquireByHash":        p.AcquireByHash,
+		"SignedBy":             p.SignedBy,
 		"MultiDist":            p.MultiDist,
 	})
 }
@@ -1070,6 +1076,9 @@ func (p *PublishedRepo) Publish(packagePool aptly.PackagePool, publishedStorageP
 				if p.AcquireByHash {
 					release["Acquire-By-Hash"] = "yes"
 				}
+				if p.SignedBy != "" {
+					release["Signed-By"] = p.SignedBy
+				}
 
 				var bufWriter *bufio.Writer
 				bufWriter, err = indexes.ReleaseIndex(component, arch, udeb).BufWriter()
@@ -1126,11 +1135,22 @@ func (p *PublishedRepo) Publish(packagePool aptly.PackagePool, publishedStorageP
 	release["Label"] = p.GetLabel()
 	release["Suite"] = p.GetSuite()
 	release["Codename"] = p.GetCodename()
-	release["Date"] = time.Now().UTC().Format("Mon, 2 Jan 2006 15:04:05 MST")
+	datetime_format := "Mon, 2 Jan 2006 15:04:05 MST"
+	date_now := time.Now().UTC()
+	release["Date"] = date_now.Format(datetime_format)
 	release["Architectures"] = strings.Join(utils.StrSlicesSubstract(p.Architectures, []string{ArchitectureSource}), " ")
 	if p.AcquireByHash {
 		release["Acquire-By-Hash"] = "yes"
 	}
+	if p.SignedBy != "" {
+		// "If the field is present, a client should only accept future updates
+		// to the repository that are signed with keys listed in the field.
+		// The field should be ignored if the Valid-Until field
+		// is not present or if it is expired."
+		release["Signed-By"] = p.SignedBy
+		// Let's use a century as a "forever" value.
+		release["Valid-Until"] = date_now.AddDate(100, 0, 0).Format(datetime_format)
+	}
 	release["Description"] = " Generated by aptly\n"
 	release["MD5Sum"] = ""
 	release["SHA1"] = ""

diff --git a/man/aptly.1 b/man/aptly.1
@@ -1565,6 +1565,10 @@ $ aptly publish repo testing
 Options:
 .
 .TP
+\-\fBsigned\-by\fR
+set value for Signed-By field
+.
+.TP
 \-\fBacquire\-by\-hash\fR
 provide index files by hash
 .
@@ -1706,6 +1710,10 @@ $ aptly publish snapshot wheezy\-main
 Options:
 .
 .TP
+\-\fBsigned\-by\fR
+set value for Signed-By field
+.
+.TP
 \-\fBacquire\-by\-hash\fR
 provide index files by hash
 .
@@ -2065,6 +2073,10 @@ This command would switch published repository (with one component) named ppa/wh
 Options:
 .
 .TP
+\-\fBsigned\-by\fR
+set value for Signed-By field
+.
+.TP
 \-\fBbatch\fR
 run GPG with detached tty
 .
@@ -2171,6 +2183,10 @@ $ aptly publish update wheezy ppa
 Options:
 .
 .TP
+\-\fBsigned\-by\fR
+set value for Signed-By field
+.
+.TP
 \-\fBbatch\fR
 run GPG with detached tty
 .

diff --git a/system/t06_publish/PublishList5Test_gold b/system/t06_publish/PublishList5Test_gold
@@ -14,6 +14,7 @@
     "Origin": "LP-PPA-gladky-anton-gnuplot",
     "Path": "./maverick",
     "Prefix": ".",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -39,6 +40,7 @@
     "Origin": "",
     "Path": "ppa/smira/wheezy",
     "Prefix": "ppa/smira",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -65,6 +67,7 @@
     "Origin": "origin1",
     "Path": "ppa/tr1/maverick",
     "Prefix": "ppa/tr1",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -91,6 +94,7 @@
     "Origin": "",
     "Path": "ppa/tr2/maverick",
     "Prefix": "ppa/tr2",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [

diff --git a/system/t06_publish/PublishRepo35Test_gold b/system/t06_publish/PublishRepo35Test_gold
@@ -0,0 +1,14 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Local repo local-repo has been successfully published.
+Please setup your webserver to serve directory '${HOME}/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick contrib
+  deb-src http://your-server/ maverick contrib
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.
diff --git a/system/t06_publish/PublishRepo35Test_release b/system/t06_publish/PublishRepo35Test_release
@@ -0,0 +1,12 @@
+Origin: . maverick
+Label: label35
+Suite: maverick
+Codename: maverick
+Signed-By: comma,separated,string
+Architectures: i386
+Components: contrib
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:
diff --git a/system/t06_publish/PublishShow3Test_gold b/system/t06_publish/PublishShow3Test_gold
@@ -13,6 +13,7 @@
   "Origin": "LP-PPA-gladky-anton-gnuplot",
   "Path": "./maverick",
   "Prefix": ".",
+  "SignedBy": "",
   "SkipContents": false,
   "SourceKind": "snapshot",
   "Sources": [

diff --git a/system/t06_publish/PublishShow4Test_gold b/system/t06_publish/PublishShow4Test_gold
@@ -13,6 +13,7 @@
   "Origin": "LP-PPA-gladky-anton-gnuplot",
   "Path": "ppa/smira/maverick",
   "Prefix": "ppa/smira",
+  "SignedBy": "",
   "SkipContents": false,
   "SourceKind": "snapshot",
   "Sources": [

diff --git a/system/t06_publish/PublishSnapshot43Test_gold b/system/t06_publish/PublishSnapshot43Test_gold
@@ -0,0 +1,13 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Snapshot snap43 has been successfully published.
+Please setup your webserver to serve directory '/home/runner/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick main
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.
diff --git a/system/t06_publish/PublishSnapshot43Test_release b/system/t06_publish/PublishSnapshot43Test_release
@@ -0,0 +1,12 @@
+Origin: LP-PPA-gladky-anton-gnuplot
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: string,separated,by,commas
+Architectures: amd64 i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:
diff --git a/system/t06_publish/PublishSwitch17Test_gold b/system/t06_publish/PublishSwitch17Test_gold
@@ -0,0 +1,9 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+Cleaning up published repository ./maverick...
+Cleaning up component 'main'...
+
+Published snapshot repository ./maverick (origin: LP-PPA-gladky-anton-gnuplot) [amd64, i386] publishes {main: [snap2]: Snapshot from mirror [gnuplot-maverick]: http://ppa.launchpad.net/gladky-anton/gnuplot/ubuntu/ maverick} has been successfully switched to new source.
diff --git a/system/t06_publish/PublishSwitch17Test_release b/system/t06_publish/PublishSwitch17Test_release
@@ -0,0 +1,12 @@
+Origin: LP-PPA-gladky-anton-gnuplot
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: a,string
+Architectures: amd64 i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:
diff --git a/system/t06_publish/PublishUpdate19Test_gold b/system/t06_publish/PublishUpdate19Test_gold
@@ -0,0 +1,9 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+Cleaning up published repository ./maverick...
+Cleaning up component 'main'...
+
+Published local repository ./maverick [i386, source] publishes {main: [local-repo]} has been updated successfully.
diff --git a/system/t06_publish/PublishUpdate19Test_release b/system/t06_publish/PublishUpdate19Test_release
@@ -0,0 +1,12 @@
+Origin: . maverick
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: some,string
+Architectures: i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512: