Reprepro
From BCCD 3.0
Reprepro is the apt repository management software we use for the BCCD. It lives on bigfe in the /home/reprepro
directory, and remote access is provided by Apache from the debmirror.cluster.earlham.edu
virtual host.
Contents |
Initial setup
Based on infrastructureanywhere.com.
- Login to bigfe
- Install deb packages:
apt-get install reprepro debian-archive-keyring
- Make the repo directories:
mkdir -p /home/reprepro/conf
- Extract publiey key ID (42E03786 in this case):
skylar@almaren:/home/reprepro/conf$ gpg --list-keys Skylar gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored pub 1024D/42E03786 2003-02-02 uid Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu> uid Skylar Thompson (Home e-mail) <skylar@os2.dhs.org> uid Skylar Thompson <skylar.thompson@gmail.com> sub 1024g/990A31DF 2003-02-02
- Make
conf/distributions
file, setting SignWith to my public key:Origin: Debian Codename: squeeze Description: Official Debian Squeeze mirror Architectures: amd64 Components: main contrib non-free UDebComponents: main Contents: .gz Update: - debian-squeeze Log: /home/reprepro/mirror/logs/mirror.log SignWith: 42E03786 Origin: Debian Codename: squeeze-updates Description: Official Debian Squeeze mirror Architectures: amd64 Components: main contrib non-free UDebComponents: main Contents: .gz Update: - debian-squeeze-updates Log: /home/reprepro/mirror/logs/mirror.log SignWith: 42E03786
- Look for GPG keys installed by the debian-archive-keyring package:
skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$' /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
- In this case, you will need to look at both the stable and automatic keys:
skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored pub 4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org> skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored pub 4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
- You will need to import both keys from a key server:
skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9 gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: searching for "B98321F9" from hkp server subkeys.pgp.net (1) Squeeze Stable Release Key <debian-release@lists.debian.org> 4096 bit RSA key B98321F9, created: 2010-08-07 Keys 1-1 of 1 for "B98321F9". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key B98321F9 from hkp server subkeys.pgp.net gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: searching for "473041FA" from hkp server subkeys.pgp.net (1) Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o 4096 bit RSA key 473041FA, created: 2010-08-27 Keys 1-1 of 1 for "473041FA". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 473041FA from hkp server subkeys.pgp.net gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
- For each of the keys found, import them with gpg and apt-key:
skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \ awk -F: '/(Squeeze|Archive Automatic)/ {print $5}'); do gpg --keyserver subkeys.pgp.net --recv ${KEY} \ && gpg --export --armor ${KEY} \ | sudo apt-key add - done gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: requesting key 55BE302B from hkp server subkeys.pgp.net gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored OK gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: requesting key B98321F9 from hkp server subkeys.pgp.net gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored OK gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: requesting key 473041FA from hkp server subkeys.pgp.net gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored OK
- Make
conf/updates
file, using VerifyRelease from Debian squeeze:Method: http://debian.osuosl.org/debian Suite: Squeeze Components: main contrib non-free UDebComponents: main Architectures: amd64 source VerifyRelease: AED4B06F473041FA Name: debian-squeeze-updates Method: http://debian.osuosl.org/debian Suite: squeeze-updates Components: main contrib non-free UDebComponents: main Architectures: amd64 VerifyRelease: AED4B06F473041FA
- Within the
/home/reprepro
directory, runreprepro -V update
- Create an ASCII export of your GPG key and copy it to bigfe:
gpg -a --export key-id > /var/tmp/key-id.gpg
- As root on bigfe, add your key to
/etc/apt/trusted.gpg
:apt-key add < /var/tmp/key-id.gpg
Adding a repository
- Make sure you have the E6BF09F6 signing key in your
gpg --list-secret-keys
output. - Enter the reprepro directory:
pushd /home/reprepro
- Add to
conf/distributions
:Origin: BCCD Label: BCCD Codename: bccd-v334 Architectures: i386 amd64 source Components: main Description: Packages for BCCD v3.3.4 # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491 SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
- Add packages (repo doesn't exist until it has packages):
reprepro includedeb bccd-v332 *.deb
- If you get errors about packages not being exported, export manually:
reprepro export bccd-v332
Copying a repository
- Add a new repository (see above).
- Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):
for ARCH in i386 amd64; do reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332 done
Exporting a repository
If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340
Removing a repository
- Delete from
/home/reprepro/conf/distributions
- Run
reprepro --delete clearvanished
Signing key
Build setup
The signing GPG key has ID E6BF09F6 and should be set in the SignWith
line for the distribution in conf/distributions
. For instance:
Origin: BCCD Label: BCCD Codename: bccd-v334 Architectures: i386 amd64 source Components: main Description: Packages for BCCD v3.3.4 # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491 SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
The ASCII armor output of the public key should live in the SVN repository in trees/keys/E6BF09F6.gpg
, and will be added automatically to the system's local apt key ring as part of the build.
Submit this key to a public key server as well: gpg --keyserver pgp.mit.edu --send-key E6BF09F6
Release engineer setup
The public and private keys should live in your own key ring in ~/.gnupg
. If you do not have it, talk to one of the Release Engineers for the key pair and password. To import:
- Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
-
gpg --armor --export E6BF09F6
-
gpg --armor --export-secret-key E6BF09F6
-
- Import in your account on bigfe:
-
gpg --import
-
gpg --allow-secret-key-import --import
-
See Trac #984 for details.
Mirroring
- Fetch the
conf
directory from SVN - Add an
Update:
field to each repo that you would like to mirror inconf/distributions
. For instance, forbccd-v334
, you might put inUpdate: bccd-v334-update
- Add each repo to
conf/updates
:Name: bccd-v334-update Method: http://debmirror.cluster.earlham.edu VerifyRelease: blindtrust
- Run
reprepro -V update
apt tricks
- Which repo is a package coming from?
apt-cache showpkg pkg-name
Troubleshooting
- List all checksums in DB:
reprepro _listchecksums
- Forget about a package in the DB (probably want to delete it w/
rm
first):reprepro _forget pool/main/i/icu4j-4.2/icu4j-4.2_4.2.1.1.orig.tar.gz
- Also can
grep
for that checksum in thelists
directory to get a filename
- Also can
Troubleshooting signing errors: Correct key not installed
If you get a message like this:E: Release signed by unknown key (key id B1CE32C942E03786)Try importing the key to the debian archive keyring:
root@BigFe:~# gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786 gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
If this gives you errors, try using apt-key
:
root@bigfe:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9 Executing: /tmp/apt-key-gpghome.Uqs75DgWFS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9 gpg: key 64481591B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Troubleshooting signing errors: Key length not sufficient
You might also get these messages like this with apt-get
:
Err:1 http://debmirror.cluster.earlham.edu sid InRelease The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786 Err:2 http://debmirror.cluster.earlham.edu bccd-v340 InRelease The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786 Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debmirror.cluster.earlham.edu sid InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786 W: GPG error: http://debmirror.cluster.earlham.edu bccd-v340 InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786 E: The repository 'http://debmirror.cluster.earlham.edu bccd-v340 InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
You should examine the referenced key to determine its length:
# gpg --list-keys BDCB71F1A2D14024DC8706B1B1CE32C942E03786 pub dsa1024 2003-02-02 [SC] ...
As of 2017, apt
deprecates SHA1 digests and short keys. Change the key referenced in SignWith in reprepro to one that is at least 4096 bits long with a SHA2 digest, and re-export each repository.