Reprepro

From BCCD 3.0

(Difference between revisions)
Jump to: navigation, search
Line 182: Line 182:
  <li>Run <code>reprepro --delete clearvanished</code>
  <li>Run <code>reprepro --delete clearvanished</code>
</ol>
</ol>
 +
 +
= Signing key =
 +
 +
The signing GPG key has ID E6BF09F6. It should live in your own key ring. If you do not have it, talk to one of the [[ReleaseEngineer|Release Engineers]] for the password. To import:
 +
 +
# Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
 +
## <code>gpg --armor --export E6BF09F6</code>
 +
## <code>gpg --armor --export-secret-key E6BF09F6</code>
 +
# Import in your account on bigfe:
 +
## <code>gpg --import</code>
 +
## <code>gpg --allow-secret-key-import --import</code>
 +
 +
See [https://cluster.earlham.edu/trac/bccd-ng/ticket/984 Trac #984] for details.
= apt tricks =
= apt tricks =

Revision as of 22:39, 15 October 2016

Contents

Initial setup

Based on infrastructureanywhere.com.

  1. Install deb packages: apt-get install reprepro debian-archive-keyring
  2. Make the repo directories: mkdir -p /var/spool/reprepro/conf
  3. Extract publiey key ID (42E03786 in this case):
    skylar@almaren:/var/spool/reprepro/conf$ gpg --list-keys Skylar
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub   1024D/42E03786 2003-02-02
    uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
    uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
    uid                  Skylar Thompson <skylar.thompson@gmail.com>
    sub   1024g/990A31DF 2003-02-02
    
  4. Make conf/distributions file, setting SignWith to my public key:
    Origin: Debian
    Codename: squeeze
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
    Origin: Debian
    Codename: squeeze-updates
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze-updates
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
  5. Look for GPG keys installed by the debian-archive-keyring package:
    skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    
  6. In this case, you will need to look at both the stable and automatic keys:
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
    
  7. You will need to import both keys from a key server:
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
    (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
              4096 bit RSA key B98321F9, created: 2010-08-07
    Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "473041FA" from hkp server subkeys.pgp.net
    (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
              4096 bit RSA key 473041FA, created: 2010-08-27
    Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
  8. For each of the keys found, import them with gpg and apt-key:
    skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
       awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
       do
       gpg --keyserver subkeys.pgp.net --recv ${KEY} \
          && gpg --export --armor ${KEY} \
             | sudo apt-key add -
    done
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
    gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    
  9. Make conf/updates file, using VerifyRelease from Debian squeeze:
    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    
  10. Within the /var/spool/reprepro directory, run reprepro -V update
  11. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
  12. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

  1. Make sure your gpg secret is in gpg --list-secret-keys output.
  2. Enter the reprepro directory: pushd /var/spool/reprepro
  3. Add to conf/distributions:
    Origin: BCCD
    Label: BCCD
    Suite: v332
    Architectures: i386 amd64 source
    Components: main
    Description: Packages for BCCD v3.3.2
    SignWith: 42E03786 # Skylar's key
    
  4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
  5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

  1. Add a new repository (see above).
  2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):
    for ARCH in i386 amd64; do
       reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
    done
    

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

  1. Delete from /var/spool/reprepro/conf/distributions
  2. Run reprepro --delete clearvanished

Signing key

The signing GPG key has ID E6BF09F6. It should live in your own key ring. If you do not have it, talk to one of the Release Engineers for the password. To import:

  1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
    1. gpg --armor --export E6BF09F6
    2. gpg --armor --export-secret-key E6BF09F6
  2. Import in your account on bigfe:
    1. gpg --import
    2. gpg --allow-secret-key-import --import

See Trac #984 for details.

apt tricks

Signing errors

If you get a message like this:
E: Release signed by unknown key (key id B1CE32C942E03786)
Try importing the key to the debian archive keyring:
root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Troubleshooting

Links

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox