Reprepro

From BCCD 3.0

Jump to: navigation, search

Reprepro is the apt repository management software we use for the BCCD. It lives on bigfe in the /home/reprepro directory, and remote access is provided by Apache from the debmirror.cluster.earlham.edu virtual host.

Contents

Initial setup

Based on infrastructureanywhere.com.

  1. Login to bigfe
  2. Install deb packages: apt-get install reprepro debian-archive-keyring
  3. Make the repo directories: mkdir -p /home/reprepro/conf
  4. Extract publiey key ID (42E03786 in this case):
    skylar@almaren:/home/reprepro/conf$ gpg --list-keys Skylar
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub   1024D/42E03786 2003-02-02
    uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
    uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
    uid                  Skylar Thompson <skylar.thompson@gmail.com>
    sub   1024g/990A31DF 2003-02-02
    
  5. Make conf/distributions file, setting SignWith to my public key:
    Origin: Debian
    Codename: squeeze
    Description: Official Debian Squeeze mirror
    Architectures: amd64
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze
    Log: /home/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
    Origin: Debian
    Codename: squeeze-updates
    Description: Official Debian Squeeze mirror
    Architectures: amd64
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze-updates
    Log: /home/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
  6. Look for GPG keys installed by the debian-archive-keyring package:
    skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    
  7. In this case, you will need to look at both the stable and automatic keys:
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
    
  8. You will need to import both keys from a key server:
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
    (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
              4096 bit RSA key B98321F9, created: 2010-08-07
    Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "473041FA" from hkp server subkeys.pgp.net
    (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
              4096 bit RSA key 473041FA, created: 2010-08-27
    Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
  9. For each of the keys found, import them with gpg and apt-key:
    skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
       awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
       do
       gpg --keyserver subkeys.pgp.net --recv ${KEY} \
          && gpg --export --armor ${KEY} \
             | sudo apt-key add -
    done
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
    gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    
  10. Make conf/updates file, using VerifyRelease from Debian squeeze:
    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64
    VerifyRelease: AED4B06F473041FA
    
    
  11. Within the /home/reprepro directory, run reprepro -V update
  12. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
  13. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

  1. Make sure you have the E6BF09F6 signing key in your gpg --list-secret-keys output.
  2. Enter the reprepro directory: pushd /home/reprepro
  3. Add to conf/distributions:
    Origin: BCCD
    Label: BCCD
    Codename: bccd-v334
    Architectures: i386 amd64 source
    Components: main
    Description: Packages for BCCD v3.3.4
    # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
    SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
    
  4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
  5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

  1. Add a new repository (see above).
  2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):
    for ARCH in i386 amd64; do
       reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
    done
    

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

  1. Delete from /home/reprepro/conf/distributions
  2. Run reprepro --delete clearvanished

Signing key

Build setup

The signing GPG key has ID E6BF09F6 and should be set in the SignWith line for the distribution in conf/distributions. For instance:

Origin: BCCD
Label: BCCD
Codename: bccd-v334
Architectures: i386 amd64 source
Components: main
Description: Packages for BCCD v3.3.4
# Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key

The ASCII armor output of the public key should live in the SVN repository in trees/keys/E6BF09F6.gpg, and will be added automatically to the system's local apt key ring as part of the build.

Submit this key to a public key server as well: gpg --keyserver pgp.mit.edu --send-key E6BF09F6

Release engineer setup

The public and private keys should live in your own key ring in ~/.gnupg. If you do not have it, talk to one of the Release Engineers for the key pair and password. To import:

  1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
    1. gpg --armor --export E6BF09F6
    2. gpg --armor --export-secret-key E6BF09F6
  2. Import in your account on bigfe:
    1. gpg --import
    2. gpg --allow-secret-key-import --import

See Trac #984 for details.

Mirroring

  1. Fetch the conf directory from SVN
  2. Add an Update: field to each repo that you would like to mirror in conf/distributions. For instance, for bccd-v334, you might put in Update: bccd-v334-update
  3. Add each repo to conf/updates:
    Name: bccd-v334-update
    Method: http://debmirror.cluster.earlham.edu
    VerifyRelease: blindtrust
    
  4. Run reprepro -V update

apt tricks

Troubleshooting

Troubleshooting signing errors: Correct key not installed

If you get a message like this:
E: Release signed by unknown key (key id B1CE32C942E03786)
Try importing the key to the debian archive keyring:
root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

If this gives you errors, try using apt-key:

root@bigfe:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
Executing: /tmp/apt-key-gpghome.Uqs75DgWFS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
gpg: key 64481591B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Troubleshooting signing errors: Key length not sufficient

You might also get these messages like this with apt-get:

Err:1 http://debmirror.cluster.earlham.edu sid InRelease
  The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
Err:2 http://debmirror.cluster.earlham.edu bccd-v340 InRelease
  The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debmirror.cluster.earlham.edu sid InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
W: GPG error: http://debmirror.cluster.earlham.edu bccd-v340 InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
E: The repository 'http://debmirror.cluster.earlham.edu bccd-v340 InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

You should examine the referenced key to determine its length:

# gpg --list-keys BDCB71F1A2D14024DC8706B1B1CE32C942E03786
pub   dsa1024 2003-02-02 [SC]
...

As of 2017, apt deprecates SHA1 digests and short keys. Change the key referenced in SignWith in reprepro to one that is at least 4096 bits long with a SHA2 digest, and re-export each repository.

Links

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox