Differences between revisions 33 and 35 (spanning 2 versions)
Revision 33 as of 2021-04-09 08:56:49
Size: 10216
Editor: OsamuAoki
Comment: There will be many public keys of others so checking secret key makes sense.
Revision 35 as of 2021-04-10 03:50:40
Size: 10085
Editor: PaulWise
Comment: link prevention
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
 * [[http://blog.jonliv.es/blog/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages|Creating your own Signed APT Repository and Debian Packages]]: very good explanation of the use of GnuPG
 * [[http://manpages.debian.org/cgi-bin/man.cgi?query=reprepro&apropos=0&sektion=0&format=html&locale=en|reprepro(1)]] man page
 * [[http://blog.jonliv.es/blog/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/|Creating your own Signed APT Repository and Debian Packages]]: very good explanation of the use of GnuPG
 * [[DebianMan:reprepro|reprepro(1)]] man page
Line 46: Line 46:
However, if you're setting up the apt repository on a remote server, you may have issues generating enough entropy for key generation. In this case, you can generate the keypair on a local workstation (that is, one with a keyboard and a mouse), export the keys and import them into the repository server. This is described in detail in [[http://www.debuntu.org/how-to-importexport-gpg-key-pair/|"How-To: Import/Export GPG Keypair"]].

For further details on GnuPG + apt + dpkg, see [[http://blog.jonliv.es/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/|"Creating your own Signed APT Repository and Debian Packages"]].
However, if you're setting up the apt repository on a remote server, you may have issues generating enough entropy for key generation. In this case, you can generate the keypair on a local workstation (that is, one with a keyboard and a mouse), export the keys and import them into the repository server. This is described in detail in [[https://www.debuntu.org/how-to-importexport-gpg-key-pair/|"How-To: Import/Export GPG Keypair"]].

For further details on GnuPG + apt + dpkg, see [[http://blog.jonliv.es/blog/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/|"Creating your own Signed APT Repository and Debian Packages"]].
Line 52: Line 52:
Here we assume you got Apache (2.4, buster or newer) running already, and serving web pages - even if only the default index.html located at `/var/www/html/`. First you need a directory for the apt repository:

{{{
$ mkdir -p /var/www/html/repos/apt/debian
}}}

Next you should add Apache rules to make a few directories used internally by ''reprepro'' invisible to users of your repository. Add something like this to a Apache server configuration file fragment (e.g. ''/etc/apache2/conf.available/repos.conf'') or to a VirtualHost definition:
Here we assume you got Apache (2.4, buster or newer) running already, and serving web pages - even if only the default index.html. First you need a directory for the apt repository:

{{{
$ mkdir -p /srv/repos/apt/debian
}}}

Next you should add Apache rules to make a few directories used internally by ''reprepro'' invisible to users of your repository. Add something like this to a Apache server configuration file fragment (e.g. ''/etc/apache2/conf.available/repos.conf'') or to a !VirtualHost definition:
Line 64: Line 64:
<Directory /var/www/html/repos/ > Alias /repos/apt/debian /srv/repos/apt/debian

<Directory /srv/repos/ >
Line 72: Line 74:
<Directory "/var/www/html/repos/apt/*/db/"> <Directory "/srv/repos/apt/*/db/">
Line 76: Line 78:
<Directory "/var/www/html/repos/apt/*/conf/"> <Directory "/srv/repos/apt/*/conf/">
Line 80: Line 82:
<Directory "/var/www/html/repos/apt/*/incoming/"> <Directory "/srv/repos/apt/*/incoming/">
Line 85: Line 87:
Line 89: Line 90:
$ sudo a2enconf repos
E
nabling conf repos.
To activate the new
configuration, you need to run:
  systemctl reload apache2

$ apache2ctl configtest
$ sudo a2enconf repos # enable repos conf
$ apache2ctl configtest # test the configuration
Line 96: Line 93:
$ sudo systemctl reload apache2 $ sudo service apache2 reload # enable the configuration
Line 106: Line 103:
$ mkdir -p /var/www/html/repos/apt/debian/conf $ mkdir -p /srv/repos/apt/debian/conf
Line 109: Line 106:
Second, create the ''conf/distributions'' file. In our example, the contents of ''/var/www/html/repos/apt/debian/conf/distributions'' would look something like this: Second, create the ''conf/distributions'' file. In our example, the contents of ''/srv/repos/apt/debian/conf/distributions'' would look something like this:
Line 127: Line 124:
uid [ultimate] Joe User (Some organization) <joe.user@domain.com> uid [ultimate] Joe User (Some organization) <joe.user@example.com>
Line 136: Line 133:
Third, add an ''options'' file to make daily life with ''reprepro'' command-line a little easier. This file is in ''/var/www/html/repos/apt/debian/conf/options'': Third, add an ''options'' file to make daily life with ''reprepro'' command-line a little easier. This file is in ''/srv/repos/apt/debian/conf/options'':
Line 140: Line 137:
basedir /var/www/html/repos/apt/debian basedir /srv/repos/apt/debian
Line 144: Line 141:
For further details, refer to the instruction given [[http://scotbofh.wordpress.com/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/|here]]. For further details, refer to the instruction given [[https://scotbofh.wordpress.com/2011/04/26/creating-your-own-signed-apt-repository-and-debian-packages/|here]].
Line 186: Line 183:
$ gpg --armor --output whatever.gpg.key --export <key-id> $ gpg --armor --output whatever.gpg.key --export-options export-minimal --export <key-id>
Line 192: Line 189:
$ wget -O - http://www.domain.com/repos/apt/conf/<whatever>.gpg.key|apt-key add - $ wget -O - http://www.example.com/repos/apt/conf/<whatever>.gpg.key | apt-key add -
Line 200: Line 197:
deb http://www.domain.com/repos/apt/debian <osrelease> main deb http://www.example.com/repos/apt/debian <osrelease> main
Line 206: Line 203:
$ apt-get update && apt-get install <your-package-name> $ sudo apt update
$
sudo apt install <your-package-name>
Line 218: Line 216:
$ apt-get install dpkg-sig $ sudo apt install dpkg-sig
Line 229: Line 227:

Introduction

It can be quite useful to be able to distribute your own Debian packages using apt, without having to push them to the Debian project itself. Doing this properly requires several steps:

  • Generate GnuPG keys for package/catalog file signing
  • Generate the Debian packages
  • Sign the Debian packages
  • Install and configure a webserver (e.g. Apache)
  • Create an apt repository using reprepro

  • Add packages to the repository (again, using reprepro)

Each of these steps is covered here. For more detail than is presented here, see the following HOWTO's:

Generating GnuPG keys

GnuPG is used here for two purposes:

  • Signing the Debian packages (manually)
  • Signing the catalog files (automatically by reprepro)

Before generating a key, become familiar with current best practices for key security. As of this writing, a good description is available at "OpenPGP Key Checks" and a good ~/.gnupg/gpg.conf for the user that will generate the key would include:

# Prioritize stronger algorithms for new keys.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# Use a stronger digest than the default SHA1 for certifications.
cert-digest-algo SHA512

Generate the key using the following command:

$ gpg --gen-key

In general, you should run that command on the computer hosting the apt repository, as the user that will sign the packages. It is recommended that you don't include a comment.

However, if you're setting up the apt repository on a remote server, you may have issues generating enough entropy for key generation. In this case, you can generate the keypair on a local workstation (that is, one with a keyboard and a mouse), export the keys and import them into the repository server. This is described in detail in "How-To: Import/Export GPG Keypair".

For further details on GnuPG + apt + dpkg, see "Creating your own Signed APT Repository and Debian Packages".

Configuring Apache

Here we assume you got Apache (2.4, buster or newer) running already, and serving web pages - even if only the default index.html. First you need a directory for the apt repository:

$ mkdir -p /srv/repos/apt/debian

Next you should add Apache rules to make a few directories used internally by reprepro invisible to users of your repository. Add something like this to a Apache server configuration file fragment (e.g. /etc/apache2/conf.available/repos.conf) or to a VirtualHost definition:

# /etc/apache2/conf.available/repos.conf
# Apache HTTP Server 2.4

Alias /repos/apt/debian /srv/repos/apt/debian

<Directory /srv/repos/ >
        # We want the user to be able to browse the directory manually
        Options Indexes FollowSymLinks Multiviews
        Require all granted
</Directory>

# This syntax supports several repositories, e.g. one for Debian, one for Ubuntu.
# Replace * with debian, if you intend to support one distribution only.
<Directory "/srv/repos/apt/*/db/">
        Require all denied
</Directory>

<Directory "/srv/repos/apt/*/conf/">
        Require all denied
</Directory>

<Directory "/srv/repos/apt/*/incoming/">
        Require all denied
</Directory>

This allows users to browse the pool directory with the browser, should he/she want to. The configuration also blocks a few directories used by reprepro internally, without affecting normal apt usage. Finally check that the configuration is sane and reload it:

$ sudo a2enconf repos # enable repos conf
$ apache2ctl configtest # test the configuration
Syntax OK
$ sudo service apache2 reload # enable the configuration

Configuring reprepro

Reprepro eases the task of creating apt-compatible directory layout, apt-specific files and databases and removing and adding packages to the repository.

First, create a reprepro configuration directory:

$ mkdir -p /srv/repos/apt/debian/conf

Second, create the conf/distributions file. In our example, the contents of /srv/repos/apt/debian/conf/distributions would look something like this:

Origin: Your project name
Label: Your project name
Codename: <osrelease>
Architectures: i386 amd64
Components: main
Description: Apt repository for project x
SignWith: <key-id>

Above, <osrelease> is an official Debian release name (e.g. buster or bulleseye or sid) and <key-id> is the ID of the GnuPG key you generated. You can check the key ID (fingerprint) with gpg:

$ gpg --list-secret-key --with-subkey-fingerprint
pub   rsa4096 2010-09-23 [SC]
      E123D55E623D56323D65E123655E623D563D5831
uid           [ultimate] Joe User (Some organization) <joe.user@example.com>
sub   rsa4096 2010-09-23 [E]
      F24957412415744F1495F149571F2495F2495714

Here <keyid> (fingerprint) for the GnuPG key is F24957412415744F1495F149571F2495F2495714 (that's technically the subkey, which is recommended to be used for this sort of signing purpose).

You can repeat the section as many times as needed for different OS releases.

Third, add an options file to make daily life with reprepro command-line a little easier. This file is in /srv/repos/apt/debian/conf/options:

verbose
basedir /srv/repos/apt/debian
ask-passphrase

For further details, refer to the instruction given here.

Using overrides

Sometimes, you want to add a package from another source (for example, Debian unstable) to your repository. Rather than have to repackage it, you can use overrides to change some of its metadata.

This configuration is not needed if you do not plan to use packages from other sources.

To enable overrides, add the following to your conf/distributions file:

DebOverride: override.<osrelease>
DscOverride: override.<osrelease>

As above, <osrelease> is an official Debian release name (e.g. squeeze or wheezy), and those lines should be added to each release section you have configured.

Then, for each release you support, create the override file, where you add additional metadata for each package. This file is saved to /var/www/repos/apt/debian/conf/override.<osrelease>:

your_package_name Priority        optional
your_package_name Section         net

Adding packages to the repository

Once all of the above is done, you can add packages to the repository. Reprepro takes care of signing and all, so this should suffice:

$ reprepro includedeb <osrelease> <debfile>

Again, <osrelease> is something like squeeze or wheezy.

Run the command from your repository directory, or pass the -b option with the path to the directory, or set the REPREPRO_BASE_DIR environment variable to the directory path.

Reprepro should prompt you for the GnuPG password, because options file contains the ask-passphrase configuration option. See man reprepro for more options, e.g. how to import a package's changes file to the repository.

Exporting the public GnuPG key

Finally, you need to export the public part of your GnuPG keypair from the keychain:

$ gpg --armor --output whatever.gpg.key --export-options export-minimal --export <key-id>

Copy this to a webserver so that users can download it and add it to their GnuPG keychains similarly to this (as root):

$ wget -O - http://www.example.com/repos/apt/conf/<whatever>.gpg.key | apt-key add -

Creating a sources.list.d file

If you want to make things easy for the users, you can create a list file for them and put it to a webserver. Its contents should be something like this:

deb http://www.example.com/repos/apt/debian <osrelease> main

Instruct the users to copy this file to /etc/apt/sources.list.d/<something>.list. After this, it's just a matter of doing the following to install your package:

$ sudo apt update
$ sudo apt install <your-package-name>

Signing Debian packages without adding to repository

/!\ dpkg-sig is almost never what you want, ignore this section.

reprepro will take care of the signing, so you normally don't have to do this separately. But if you do want to simply sign a package, without deploying it on your repository, you can use dpkg-sig.

First, install dpkg-sig:

$ sudo apt install dpkg-sig

Then sign your package(s):

dpkg-sig -k keyid --sign builder your_packages_$VERSION_$ARCHITECTURE.deb

Refer to this article for more details.

Troubleshooting

When importing packages from Debian you might find that you are missing SHA-1 and SHA-256 hashes in your apt metadata (Release/Packages/Sources files). To rectify this reprepro has a redochecksums command that you should run.