Reprepro

From BCCD 3.0

(Difference between revisions)
Jump to: navigation, search
(Signing key)
Line 185: Line 185:
= Signing key =
= Signing key =
-
The signing GPG key has ID E6BF09F6. It should live in your own key ring. If you do not have it, talk to one of the [[ReleaseEngineer|Release Engineers]] for the password. To import:
+
The signing GPG key has ID E6BF09F6 and should be set in the <code>SignWith</code> line for the distribution in <code>conf/distributions</code>. The public and private keys should live in your own key ring in <code>~/.gnupg</code>. If you do not have it, talk to one of the [[ReleaseEngineer|Release Engineers]] for the password. To import:
# Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
# Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):

Revision as of 22:44, 15 October 2016

Contents

Initial setup

Based on infrastructureanywhere.com.

  1. Install deb packages: apt-get install reprepro debian-archive-keyring
  2. Make the repo directories: mkdir -p /var/spool/reprepro/conf
  3. Extract publiey key ID (42E03786 in this case):
    skylar@almaren:/var/spool/reprepro/conf$ gpg --list-keys Skylar
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub   1024D/42E03786 2003-02-02
    uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
    uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
    uid                  Skylar Thompson <skylar.thompson@gmail.com>
    sub   1024g/990A31DF 2003-02-02
    
  4. Make conf/distributions file, setting SignWith to my public key:
    Origin: Debian
    Codename: squeeze
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
    Origin: Debian
    Codename: squeeze-updates
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze-updates
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
  5. Look for GPG keys installed by the debian-archive-keyring package:
    skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    
  6. In this case, you will need to look at both the stable and automatic keys:
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
    
  7. You will need to import both keys from a key server:
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
    (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
              4096 bit RSA key B98321F9, created: 2010-08-07
    Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "473041FA" from hkp server subkeys.pgp.net
    (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
              4096 bit RSA key 473041FA, created: 2010-08-27
    Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
  8. For each of the keys found, import them with gpg and apt-key:
    skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
       awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
       do
       gpg --keyserver subkeys.pgp.net --recv ${KEY} \
          && gpg --export --armor ${KEY} \
             | sudo apt-key add -
    done
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
    gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    
  9. Make conf/updates file, using VerifyRelease from Debian squeeze:
    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    
  10. Within the /var/spool/reprepro directory, run reprepro -V update
  11. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
  12. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

  1. Make sure your gpg secret is in gpg --list-secret-keys output.
  2. Enter the reprepro directory: pushd /var/spool/reprepro
  3. Add to conf/distributions:
    Origin: BCCD
    Label: BCCD
    Suite: v332
    Architectures: i386 amd64 source
    Components: main
    Description: Packages for BCCD v3.3.2
    SignWith: 42E03786 # Skylar's key
    
  4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
  5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

  1. Add a new repository (see above).
  2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):
    for ARCH in i386 amd64; do
       reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
    done
    

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

  1. Delete from /var/spool/reprepro/conf/distributions
  2. Run reprepro --delete clearvanished

Signing key

The signing GPG key has ID E6BF09F6 and should be set in the SignWith line for the distribution in conf/distributions. The public and private keys should live in your own key ring in ~/.gnupg. If you do not have it, talk to one of the Release Engineers for the password. To import:

  1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
    1. gpg --armor --export E6BF09F6
    2. gpg --armor --export-secret-key E6BF09F6
  2. Import in your account on bigfe:
    1. gpg --import
    2. gpg --allow-secret-key-import --import

See Trac #984 for details.

apt tricks

Signing errors

If you get a message like this:
E: Release signed by unknown key (key id B1CE32C942E03786)
Try importing the key to the debian archive keyring:
root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Troubleshooting

Links

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox