From BCCD 3.0

Reprepro is the apt repository management software we use for the BCCD. It lives on bigfe in the /home/reprepro directory, and remote access is provided by Apache from the debmirror.cluster.earlham.edu virtual host.

Contents 1 Initial setup 2 Adding a repository 3 Copying a repository 4 Exporting a repository 5 Removing a repository 6 Signing key 6.1 Build setup 6.2 Release engineer setup 7 Mirroring 8 apt tricks 9 Troubleshooting 9.1 Troubleshooting signing errors: Correct key not installed 9.2 Troubleshooting signing errors: Key length not sufficient 10 Links

Initial setup

Based on infrastructureanywhere.com.

1. Login to bigfe
2. Install deb packages: apt-get install reprepro debian-archive-keyring
3. Make the repo directories: mkdir -p /home/reprepro/conf
4. Extract publiey key ID (42E03786 in this case):

   skylar@almaren:/home/reprepro/conf$ gpg --list-keys Skylar
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub   1024D/42E03786 2003-02-02
   uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
   uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
   uid                  Skylar Thompson <skylar.thompson@gmail.com>
   sub   1024g/990A31DF 2003-02-02
   

5. Make conf/distributions file, setting SignWith to my public key:

   Origin: Debian
   Codename: squeeze
   Description: Official Debian Squeeze mirror
   Architectures: amd64
   Components: main contrib non-free
   UDebComponents: main
   Contents: .gz
   Update: - debian-squeeze
   Log: /home/reprepro/mirror/logs/mirror.log
   SignWith: 42E03786
   
   Origin: Debian
   Codename: squeeze-updates
   Description: Official Debian Squeeze mirror
   Architectures: amd64
   Components: main contrib non-free
   UDebComponents: main
   Contents: .gz
   Update: - debian-squeeze-updates
   Log: /home/reprepro/mirror/logs/mirror.log
   SignWith: 42E03786
   

6. Look for GPG keys installed by the debian-archive-keyring package:

   skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
   /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
   /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
   

7. In this case, you will need to look at both the stable and automatic keys:

   skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
   skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
   

8. You will need to import both keys from a key server:

   skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
   (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
             4096 bit RSA key B98321F9, created: 2010-08-07
   Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
   gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
   gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
   gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
   gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
   skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: searching for "473041FA" from hkp server subkeys.pgp.net
   (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
             4096 bit RSA key 473041FA, created: 2010-08-27
   Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
   gpg: requesting key 473041FA from hkp server subkeys.pgp.net
   gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
   gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
   gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
   

9. For each of the keys found, import them with gpg and apt-key:

   skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
      awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
      do
      gpg --keyserver subkeys.pgp.net --recv ${KEY} \
         && gpg --export --armor ${KEY} \
            | sudo apt-key add -
   done
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
   gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
   gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key 473041FA from hkp server subkeys.pgp.net
   gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   

10. Make conf/updates file, using VerifyRelease from Debian squeeze:

    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64
    VerifyRelease: AED4B06F473041FA
    
    

11. Within the /home/reprepro directory, run reprepro -V update
12. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
13. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

1. Make sure you have the E6BF09F6 signing key in your gpg --list-secret-keys output.
2. Enter the reprepro directory: pushd /home/reprepro
3. Add to conf/distributions:

   Origin: BCCD
   Label: BCCD
   Codename: bccd-v334
   Architectures: i386 amd64 source
   Components: main
   Description: Packages for BCCD v3.3.4
   # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
   SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
   

4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

1. Add a new repository (see above).
2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):

   for ARCH in i386 amd64; do
      reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
   done
   

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

1. Delete from /home/reprepro/conf/distributions
2. Run reprepro --delete clearvanished

Signing key

Build setup

The signing GPG key has ID E6BF09F6 and should be set in the SignWith line for the distribution in conf/distributions. For instance:

Origin: BCCD
Label: BCCD
Codename: bccd-v334
Architectures: i386 amd64 source
Components: main
Description: Packages for BCCD v3.3.4
# Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key

The ASCII armor output of the public key should live in the SVN repository in trees/keys/E6BF09F6.gpg, and will be added automatically to the system's local apt key ring as part of the build.

Submit this key to a public key server as well: gpg --keyserver pgp.mit.edu --send-key E6BF09F6

Release engineer setup

The public and private keys should live in your own key ring in ~/.gnupg. If you do not have it, talk to one of the Release Engineers for the key pair and password. To import:

1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
   1. gpg --armor --export E6BF09F6
   2. gpg --armor --export-secret-key E6BF09F6
2. Import in your account on bigfe:
   1. gpg --import
   2. gpg --allow-secret-key-import --import

See Trac #984 for details.

Mirroring

1. Fetch the conf directory from SVN
2. Add an Update: field to each repo that you would like to mirror in conf/distributions. For instance, for bccd-v334, you might put in Update: bccd-v334-update
3. Add each repo to conf/updates:

   Name: bccd-v334-update
   Method: http://debmirror.cluster.earlham.edu
   VerifyRelease: blindtrust
   

4. Run reprepro -V update

apt tricks

• Which repo is a package coming from? apt-cache showpkg pkg-name

Troubleshooting

• List all checksums in DB: reprepro _listchecksums
• Forget about a package in the DB (probably want to delete it w/ rm first): reprepro _forget pool/main/i/icu4j-4.2/icu4j-4.2_4.2.1.1.orig.tar.gz
  • Also can grep for that checksum in the lists directory to get a filename

Troubleshooting signing errors: Correct key not installed

If you get a message like this:

E: Release signed by unknown key (key id B1CE32C942E03786)

Try importing the key to the debian archive keyring:

root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

If this gives you errors, try using apt-key:

root@bigfe:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
Executing: /tmp/apt-key-gpghome.Uqs75DgWFS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
gpg: key 64481591B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Troubleshooting signing errors: Key length not sufficient

You might also get these messages like this with apt-get:

Err:1 http://debmirror.cluster.earlham.edu sid InRelease
  The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
Err:2 http://debmirror.cluster.earlham.edu bccd-v340 InRelease
  The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://debmirror.cluster.earlham.edu sid InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
W: GPG error: http://debmirror.cluster.earlham.edu bccd-v340 InRelease: The following signatures were invalid: BDCB71F1A2D14024DC8706B1B1CE32C942E03786
E: The repository 'http://debmirror.cluster.earlham.edu bccd-v340 InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

You should examine the referenced key to determine its length:

# gpg --list-keys BDCB71F1A2D14024DC8706B1B1CE32C942E03786
pub   dsa1024 2003-02-02 [SC]
...

As of 2017, apt deprecates SHA1 digests and short keys. Change the key referenced in SignWith in reprepro to one that is at least 4096 bits long with a SHA2 digest, and re-export each repository.

Links

• Undocumented features manual