7479
Comment: Hopefully final fixes
|
7544
Fix spelling mistake
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from SettingUpSignedAptReposityWithReprepro |
Introduction
It can be quite useful to be able to distribute your own Debian packages using apt, without having to push them to the Debian project itself. Doing this properly requires several steps:
- Generate GnuPG keys for package/catalog file signing
- Generate the Debian packages
- Sign the Debian packages
- Install and configure a webserver (e.g. Apache)
Create an apt repository using reprepro
Add packages to the repository (again, using reprepro)
Each of these steps is covered here. Before you start, you should probably look at these HOWTO's on this subject:
Creating your own Signed APT Repository and Debian Packages: very good explanation of the use of GnuPG
Setting up and managing an APT repository with reprepro: a good tutorial, but lacks GnuPG stuff
Man-page of reprepro (man reprepro)
Generating GnuPG keys
GnuPG is used here for two purposes:
- Signing the Debian packages (manually)
- Signing the catalog files (automatically by reprepro)
In general, you only need to run this command on the computer hosting the apt repository:
$ gpg --gen-key
However, if you're setting up the apt repository on a remote server, you'll probably have issues generating enough entropy for key generation. In this case, you can generate the keypair on a local workstation (=one with a keyboard and a mouse), export the keys and import them into the repository server. This is described in detail in this article.
For further details on GnuPG + apt + dpkg take a look here
Signing Debian packages
First install dpkg-sig:
$ apt-get install dpkg-sig
Then sign your package(s):
dpkg-sig --sign builder your_packages_<version>_<architecture>.deb
Refer to this article for more details.
Configuring Apache
Here we assume you got Apache (2.x) running already, and serving web pages - even if only the default index.html. First you need a directory for the apt repository:
$ mkdir -p /var/www/repos/apt/debian
Next you should add Apache rules to make a few directories used internally by reprepro invisible to users of your repository. Add something like this to a Apache server configuration file fragment (e.g. /etc/apache2/conf.d/repos) or to a virtualhost definition:
# /etc/apache2/conf.d/repos <Directory /var/www/repos/ > # We want the user to be able to browse the directory manually Options Indexes FollowSymLinks Multiviews Order allow,deny Allow from all </Directory> # This syntax supports several repositories, e.g. one for Debian, one for Ubuntu. # Replace * with debian, if you intend to support one distribution only. <Directory "/var/www/repos/apt/*/db/"> Order allow,deny Deny from all </Directory> <Directory "/var/www/repos/apt/*/conf/"> Order allow,deny Deny from all </Directory> <Directory "/var/www/repos/apt/*/incoming/"> Order allow,deny Deny from all </Directory>
This allows users to browse the pool directory with the browser, should he/she want to. The configuration also blocks a few directories used by reprepro internally, without affecting normal apt usage. Finally check that the configuration is sane and reload it:
$ apache2ctl configtest Syntax OK $ /etc/init.d/apache2 reload Reloading web server config: apache2.
Configuring reprepro
Reprepro eases the task of creating apt-compatible directory layout, apt-specific files and databases and removing and adding packages to the repository. First you need to create a reprepro configuration directory:
$ mkdir -p /var/www/repos/apt/debian/conf
You also need to put three files into that conf directory. First, you need the distributions file. In my case, this file is called /var/www/repos/apt/debian/conf/distributions:
Origin: Your project name Label: Your project name Codename: <osrelease> Architectures: i386 amd64 Components: main Description: Apt repository for project x DebOverride: override.<osrelease> DscOverride: override.<osrelease> SignWith: <key-id>
Above <osrelease> is an official Debian release name (e.g. Lenny or Squeeze) and <key-id> the ID of the GnuPG key you generated. You can check the key ID with gpg:
$ gpg --list-keys /home/joe/.gnupg/pubring.gpg ------------------------------- pub 2048R/E123D553 2011-08-03 [expires: 2012-08-02] uid Joe User (Some organization) <joe.user@domain.com> sub 2048R/F2495744 2011-08-03 [expires: 2012-08-02]
Here <keyid> for the public key is E123D553 and private key is F2395744.
Next should add an options file to make daily life with reprepro command-line a little easier. This file is in /var/www/repos/apt/debian/conf/options:
verbose basedir /var/www/repos/apt/debian ask-passphrase
Finally, you need an override file where you add some additional metadata foreach package. This file is saved to /var/www/repos/apt/debian/conf/override.<osrelease>, where <osrelease> is an official Debian release name such as Lenny or Squeeze:
your_package_name Priority optional your_package_name Section net
For further details, refer to the instruction given here and here.
Adding packages to the repository
Once all of the above is done, you can add packages to the repository. Reprepro takes care of signing and all, so this should suffice:
$ reprepro includedeb <osrelease> <debfile>
Again, <osrelease> is something like Lenny or Squeeze. Reprepro should prompt you for the GnuPG password, because options file contains the ask-passphrase configuration option. See man reprepro for more options, e.g. how to import a package's changes file to the repository.
Exporting the public GnuPG key
Finally, you need to export the public part of your GnuPG keypair from the keychain:
$ gpg --armor --export <key-id> --output whatever.gpg.key
Copy this to a webserver so that users can download it and add it to their GnuPG keychains similarly to this (as root):
$ wget -O - http://www.domain.com/repos/apt/conf/<whatever>.gpg.key|apt-key add -
Creating a sources.list.d file
If you want to make things easy for the users, you can create a list file for them and put it to a webserver. It's contents should be something like this:
deb http://www.domain.com/repos/apt/debian <osrelease> main
Instruct the users to copy this file to /etc/apt/sources.list.d/<something>.list. After this, it's just a matter of doing the following to install your package:
$ apt-get update && apt-get install <your-package-name>