Incorrect subkey used to sign

[Daniel15]

Aptly appears to be using the incorrect subkey to sign some repos.

Detailed Description

For Yarn, we have a GPG that contains two active subkeys. One of the subkeys is used to sign stable/RC releases (23E7166788B63E1E), while the other subkey (4F77679369475BAA) is used for nightly builds. We have three Aptly repos: Stable, RC, and Nightly

We're explicitly signing the stable and RC repos with 23E7166788B63E1E: https://github.com/yarnpkg/releases/blob/gh-pages/debian-source/add-deb.sh#L26-L27

aptly -config=./.aptly.conf publish update -gpg-key=23E7166788B63E1E stable
aptly -config=./.aptly.conf publish update -gpg-key=23E7166788B63E1E rc

However, it appears to be ignoring this and using the wrong subkey to sign those repos (4F77679369475BAA).

See yarnpkg/yarn#6916
See last comments on yarnpkg/yarn#6865

Your Environment

Debian buster
Aptly 1.3.0 installed via http://repo.aptly.info/

[sth]

The underlying reason is that GPG doesn't take the specified key literally, see here: yarnpkg/yarn#6916 (comment)

I don't think aptly can really do much to solve this problem. Automatically adding a ! to the specified key would break users that use a primary key id an are happy that it currently automatically selects the associated signing subkey.

[phungvanquyet]

when I run command then show error:
ERROR: open ./.aptly.conf: no such file or directory.
please help me fix it,
Thanks,

[hmh]

Maybe one could teach aptly to specify which key to use to sign things with the optional "!" being accepted as part of the key-id to use?

You'd get the full, correct gnupg behavior. Use it as always, and nothing changes (so no breaking current setups). Prefix it with !, and you get the proper gnupg behavior, and that exact key-id is forced.

If aptly already does just that, it is just a matter of documenting this explicitly.