Reprepro

From BCCD 3.0

(Difference between revisions)
Jump to: navigation, search
(Mirroring)
Line 221: Line 221:
= Mirroring =
= Mirroring =
-
# Fetch the <code>[https://cluster.earlham.edu/trac/bccd-ng/browser/cluster/svnroot/bccd-ng/reprepro conf]</code> directory from SVN
+
<ol>
 +
<li>Fetch the <code>[https://cluster.earlham.edu/trac/bccd-ng/browser/cluster/svnroot/bccd-ng/reprepro conf]</code> directory from SVN</li>
 +
<li> Add an <code>Update:</code> field to each repo that you would like to mirror in <code>conf/distributions</code>. For instance, for <code>bccd-v334</code>, you might put in <code>Update: bccd-v334-update</code></li>
 +
<li>Add each repo to <code>conf/updates</code>: <pre>
 +
Name: bccd-v334-update
 +
Method: http://debmirror.cluster.earlham.edu
 +
VerifyRelease: blindtrust
 +
</pre></li>
 +
<li>Run <code><b>reprepro</b> -V update</code></li>
 +
</ol>
= apt tricks =
= apt tricks =

Revision as of 03:21, 1 August 2017

Reprepro is the apt repository management software we use for the BCCD. It lives on bigfe in the /var/spool/reprepro directory, and remote access is provided by Apache from the debmirror.cluster.earlham.edu virtual host.

Contents

Initial setup

Based on infrastructureanywhere.com.

  1. Login to bigfe
  2. Install deb packages: apt-get install reprepro debian-archive-keyring
  3. Make the repo directories: mkdir -p /var/spool/reprepro/conf
  4. Extract publiey key ID (42E03786 in this case):
    skylar@almaren:/var/spool/reprepro/conf$ gpg --list-keys Skylar
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub   1024D/42E03786 2003-02-02
    uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
    uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
    uid                  Skylar Thompson <skylar.thompson@gmail.com>
    sub   1024g/990A31DF 2003-02-02
    
  5. Make conf/distributions file, setting SignWith to my public key:
    Origin: Debian
    Codename: squeeze
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
    Origin: Debian
    Codename: squeeze-updates
    Description: Official Debian Squeeze mirror
    Architectures: i386 amd64 source
    Components: main contrib non-free
    UDebComponents: main
    Contents: .gz
    Update: - debian-squeeze-updates
    Log: /var/spool/reprepro/mirror/logs/mirror.log
    SignWith: 42E03786
    
  6. Look for GPG keys installed by the debian-archive-keyring package:
    skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    
  7. In this case, you will need to look at both the stable and automatic keys:
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
    skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
    
  8. You will need to import both keys from a key server:
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
    (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
              4096 bit RSA key B98321F9, created: 2010-08-07
    Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: searching for "473041FA" from hkp server subkeys.pgp.net
    (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
              4096 bit RSA key 473041FA, created: 2010-08-27
    Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
  9. For each of the keys found, import them with gpg and apt-key:
    skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
       awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
       do
       gpg --keyserver subkeys.pgp.net --recv ${KEY} \
          && gpg --export --armor ${KEY} \
             | sudo apt-key add -
    done
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
    gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
    gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: requesting key 473041FA from hkp server subkeys.pgp.net
    gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
    OK
    
  10. Make conf/updates file, using VerifyRelease from Debian squeeze:
    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    
  11. Within the /var/spool/reprepro directory, run reprepro -V update
  12. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
  13. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

  1. Make sure you have the E6BF09F6 signing key in your gpg --list-secret-keys output.
  2. Enter the reprepro directory: pushd /var/spool/reprepro
  3. Add to conf/distributions:
    Origin: BCCD
    Label: BCCD
    Codename: bccd-v334
    Architectures: i386 amd64 source
    Components: main
    Description: Packages for BCCD v3.3.4
    # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
    SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
    
  4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
  5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

  1. Add a new repository (see above).
  2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):
    for ARCH in i386 amd64; do
       reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
    done
    

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

  1. Delete from /var/spool/reprepro/conf/distributions
  2. Run reprepro --delete clearvanished

Signing key

Build setup

The signing GPG key has ID E6BF09F6 and should be set in the SignWith line for the distribution in conf/distributions. For instance:

Origin: BCCD
Label: BCCD
Codename: bccd-v334
Architectures: i386 amd64 source
Components: main
Description: Packages for BCCD v3.3.4
# Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key

The ASCII armor output of the public key should live in the SVN repository in trees/keys/E6BF09F6.gpg, and will be added automatically to the system's local apt key ring as part of the build.

Release engineer setup

The public and private keys should live in your own key ring in ~/.gnupg. If you do not have it, talk to one of the Release Engineers for the key pair and password. To import:

  1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
    1. gpg --armor --export E6BF09F6
    2. gpg --armor --export-secret-key E6BF09F6
  2. Import in your account on bigfe:
    1. gpg --import
    2. gpg --allow-secret-key-import --import

See Trac #984 for details.

Mirroring

  1. Fetch the conf directory from SVN
  2. Add an Update: field to each repo that you would like to mirror in conf/distributions. For instance, for bccd-v334, you might put in Update: bccd-v334-update
  3. Add each repo to conf/updates:
    Name: bccd-v334-update
    Method: http://debmirror.cluster.earlham.edu
    VerifyRelease: blindtrust
    
  4. Run reprepro -V update

apt tricks

Troubleshooting

Troubleshooting signing errors

If you get a message like this:
E: Release signed by unknown key (key id B1CE32C942E03786)
Try importing the key to the debian archive keyring:
root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Links

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox