Signed apt repository for LiquidMetal Debian packages.
sudo install -d -m 0755 /usr/share/keyrings
curl -fsSL https://liquidmetal-dev.github.io/apt-repo/liquidmetal-archive-keyring.asc \
| sudo gpg --dearmor -o /usr/share/keyrings/liquidmetal-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/liquidmetal-archive-keyring.gpg] https://liquidmetal-dev.github.io/apt-repo stable main" \
| sudo tee /etc/apt/sources.list.d/liquidmetal.list >/dev/null
sudo apt update
sudo apt install guest-agentThe repository currently publishes guest-agent for amd64 and arm64.
pool/main/g/guest-agent/contains immutable.debpackage files.dists/stable/main/binary-amd64/contains theamd64package index.dists/stable/main/binary-arm64/contains thearm64package index.dists/stable/InReleaseanddists/stable/Release.gpgare signed with the LiquidMetal archive key.incoming/<source-project>/<tag>/is the producer drop area for new.debfiles.packages.tsvis the allowlist for source projects, Debian package names, architectures, and pool destinations.
Producer repositories only add files under incoming/. Package metadata,
keyrings, and signatures are generated by this repository's publish workflow.
Producer repositories need a fine-grained GitHub personal access token with
access only to liquidmetal-dev/apt-repo and Contents: Read and write.
Store it in the producer repository as APT_REPO_TOKEN.
Stable release workflows should copy .deb artifacts to:
incoming/<source-project>/vX.Y.Z/
For example, guest-agent publishes to:
incoming/guest-agent/v0.1.0/
To onboard another project, add a row to packages.tsv before depositing
packages. The current format is:
source_project|package_name|architectures|pool_dir|version_must_match_tag
Run these commands with gh authenticated as a LiquidMetal org/admin user.
Create a dedicated archive signing key:
gpg --batch --quick-generate-key \
"LiquidMetal apt archive <noreply@liquidmetal.dev>" \
rsa4096 sign 2y
gpg --list-secret-keys --keyid-format=long \
"LiquidMetal apt archive"Copy the long key ID from the sec rsa4096/... line, then export it:
export APT_GPG_KEY_ID="YOUR_LONG_KEY_ID"
gpg --armor --export-secret-keys "$APT_GPG_KEY_ID" \
> /tmp/liquidmetal-apt-private.ascInstall the GitHub Actions secrets on liquidmetal-dev/apt-repo:
gh secret set APT_GPG_PRIVATE_KEY \
--repo liquidmetal-dev/apt-repo \
< /tmp/liquidmetal-apt-private.asc
gh secret set APT_GPG_KEY_ID \
--repo liquidmetal-dev/apt-repo \
--body "$APT_GPG_KEY_ID"If the GPG key has a passphrase, also store it:
gh secret set APT_GPG_PASSPHRASE \
--repo liquidmetal-dev/apt-repo \
--body "YOUR_GPG_PASSPHRASE"Remove the exported private key from disk:
shred -u /tmp/liquidmetal-apt-private.ascAfter setup, producer repositories can deposit packages under incoming/.
Prerelease tags such as v0.1.0-rc1 should not deposit packages unless the
producer and allowlist are intentionally changed to support them.
If the current archive key is close to expiry and should keep the same trust identity, extend its expiration locally and update the GitHub Actions secret:
export APT_GPG_KEY_ID="CURRENT_LONG_KEY_ID"
gpg --quick-set-expire "$APT_GPG_KEY_ID" 2y
gpg --armor --export-secret-keys "$APT_GPG_KEY_ID" \
> /tmp/liquidmetal-apt-private.asc
gh secret set APT_GPG_PRIVATE_KEY \
--repo liquidmetal-dev/apt-repo \
< /tmp/liquidmetal-apt-private.asc
gh secret set APT_GPG_KEY_ID \
--repo liquidmetal-dev/apt-repo \
--body "$APT_GPG_KEY_ID"
shred -u /tmp/liquidmetal-apt-private.ascThe next publish workflow run exports the renewed public key to this repository
as liquidmetal-archive-keyring.asc and liquidmetal-archive-keyring.gpg,
then signs fresh repository metadata.
If the private key is compromised or the archive should move to a new trust identity, create a new key, replace the same GitHub Actions secrets, and run the publish workflow. Users must refresh their local keyring after the new public key is published:
curl -fsSL https://liquidmetal-dev.github.io/apt-repo/liquidmetal-archive-keyring.asc \
| sudo gpg --dearmor -o /usr/share/keyrings/liquidmetal-archive-keyring.gpg
sudo apt update