From BCCD 3.0

Revision as of 04:18, 7 February 2018 (view source) Skylar (Talk | contribs) (just need amd64 now) ← Older edit		Revision as of 04:19, 7 February 2018 (view source) Skylar (Talk | contribs) (→Troubleshooting) Newer edit →
Line 240:		Line 240:
	* List all checksums in DB: <code>reprepro _listchecksums</code>		* List all checksums in DB: <code>reprepro _listchecksums</code>
	* Forget about a package in the DB (probably want to delete it w/ <code>rm</code> first): <code>reprepro _forget pool/main/i/icu4j-4.2/icu4j-4.2_4.2.1.1.orig.tar.gz</code>		* Forget about a package in the DB (probably want to delete it w/ <code>rm</code> first): <code>reprepro _forget pool/main/i/icu4j-4.2/icu4j-4.2_4.2.1.1.orig.tar.gz</code>
		+	** Also can <code>grep</code> for that checksum in the <code>lists</code> directory to get a filename
	== Troubleshooting signing errors ==		== Troubleshooting signing errors ==

---

Revision as of 04:19, 7 February 2018

Reprepro is the apt repository management software we use for the BCCD. It lives on bigfe in the /home/reprepro directory, and remote access is provided by Apache from the debmirror.cluster.earlham.edu virtual host.

Contents 1 Initial setup 2 Adding a repository 3 Copying a repository 4 Exporting a repository 5 Removing a repository 6 Signing key 6.1 Build setup 6.2 Release engineer setup 7 Mirroring 8 apt tricks 9 Troubleshooting 9.1 Troubleshooting signing errors 10 Links

Initial setup

Based on infrastructureanywhere.com.

1. Login to bigfe
2. Install deb packages: apt-get install reprepro debian-archive-keyring
3. Make the repo directories: mkdir -p /home/reprepro/conf
4. Extract publiey key ID (42E03786 in this case):

   skylar@almaren:/home/reprepro/conf$ gpg --list-keys Skylar
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub   1024D/42E03786 2003-02-02
   uid                  Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>
   uid                  Skylar Thompson (Home e-mail) <skylar@os2.dhs.org>
   uid                  Skylar Thompson <skylar.thompson@gmail.com>
   sub   1024g/990A31DF 2003-02-02
   

5. Make conf/distributions file, setting SignWith to my public key:

   Origin: Debian
   Codename: squeeze
   Description: Official Debian Squeeze mirror
   Architectures: amd64
   Components: main contrib non-free
   UDebComponents: main
   Contents: .gz
   Update: - debian-squeeze
   Log: /home/reprepro/mirror/logs/mirror.log
   SignWith: 42E03786
   
   Origin: Debian
   Codename: squeeze-updates
   Description: Official Debian Squeeze mirror
   Architectures: amd64
   Components: main contrib non-free
   UDebComponents: main
   Contents: .gz
   Update: - debian-squeeze-updates
   Log: /home/reprepro/mirror/logs/mirror.log
   SignWith: 42E03786
   

6. Look for GPG keys installed by the debian-archive-keyring package:

   skylar@almaren:/tmp$ dpkg -L debian-archive-keyring|egrep 'squeeze.*gpg$'
   /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
   /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
   

7. In this case, you will need to look at both the stable and automatic keys:

   skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub  4096R/473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
   skylar@almaren:/tmp$ gpg /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   pub  4096R/B98321F9 2010-08-07 Squeeze Stable Release Key <debian-release@lists.debian.org>
   

8. You will need to import both keys from a key server:

   skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys B98321F9
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: searching for "B98321F9" from hkp server subkeys.pgp.net
   (1)     Squeeze Stable Release Key <debian-release@lists.debian.org>
             4096 bit RSA key B98321F9, created: 2010-08-07
   Keys 1-1 of 1 for "B98321F9".  Enter number(s), N)ext, or Q)uit > 1
   gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
   gpg: key B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
   gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
   gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
   skylar@almaren:/tmp$ gpg --keyserver subkeys.pgp.net --search-keys 473041FA         gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: searching for "473041FA" from hkp server subkeys.pgp.net
   (1)     Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.o
             4096 bit RSA key 473041FA, created: 2010-08-27
   Keys 1-1 of 1 for "473041FA".  Enter number(s), N)ext, or Q)uit > 1
   gpg: requesting key 473041FA from hkp server subkeys.pgp.net
   gpg: key 473041FA: public key "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
   gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
   gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
   

9. For each of the keys found, import them with gpg and apt-key:

   skylar@almaren:/tmp$ for KEY in $(gpg --with-colons --list-key | \
      awk -F: '/(Squeeze|Archive Automatic)/ {print $5}');
      do
      gpg --keyserver subkeys.pgp.net --recv ${KEY} \
         && gpg --export --armor ${KEY} \
            | sudo apt-key add -
   done
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
   gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key B98321F9 from hkp server subkeys.pgp.net
   gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: requesting key 473041FA from hkp server subkeys.pgp.net
   gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   gpg: NOTE: old default options file `/home/skylar/.gnupg/options' ignored
   OK
   

10. Make conf/updates file, using VerifyRelease from Debian squeeze:

    Method: http://debian.osuosl.org/debian
    Suite: Squeeze
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64 source
    VerifyRelease: AED4B06F473041FA
    
    Name: debian-squeeze-updates
    Method: http://debian.osuosl.org/debian
    Suite: squeeze-updates
    Components: main contrib non-free
    UDebComponents: main
    Architectures: amd64
    VerifyRelease: AED4B06F473041FA
    
    

11. Within the /home/reprepro directory, run reprepro -V update
12. Create an ASCII export of your GPG key and copy it to bigfe: gpg -a --export key-id > /var/tmp/key-id.gpg
13. As root on bigfe, add your key to /etc/apt/trusted.gpg: apt-key add < /var/tmp/key-id.gpg

Adding a repository

1. Make sure you have the E6BF09F6 signing key in your gpg --list-secret-keys output.
2. Enter the reprepro directory: pushd /home/reprepro
3. Add to conf/distributions:

   Origin: BCCD
   Label: BCCD
   Codename: bccd-v334
   Architectures: i386 amd64 source
   Components: main
   Description: Packages for BCCD v3.3.4
   # Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
   SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key
   

4. Add packages (repo doesn't exist until it has packages): reprepro includedeb bccd-v332 *.deb
5. If you get errors about packages not being exported, export manually: reprepro export bccd-v332

Copying a repository

1. Add a new repository (see above).
2. Run something like this (NOTE: Confusingly, the destination repo is listed first in the copy command):

   for ARCH in i386 amd64; do
      reprepro -A ${ARCH} list bccd-v332|awk '{print $2}'|xargs reprepro -A ${ARCH} copy bccd-v333 bccd-v332
   done
   

Exporting a repository

If you need to export new indices, make sure to ask reprepro to prompt for your GPG passphrase: reprepro --ask-passphrase export bccd-v340

Removing a repository

1. Delete from /home/reprepro/conf/distributions
2. Run reprepro --delete clearvanished

Signing key

Build setup

The signing GPG key has ID E6BF09F6 and should be set in the SignWith line for the distribution in conf/distributions. For instance:

Origin: BCCD
Label: BCCD
Codename: bccd-v334
Architectures: i386 amd64 source
Components: main
Description: Packages for BCCD v3.3.4
# Running into bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714491
SignWith: E6BF09F6 # BCCD key, see http://bccd.net/wiki/index.php/Reprepro#Signing_key

The ASCII armor output of the public key should live in the SVN repository in trees/keys/E6BF09F6.gpg, and will be added automatically to the system's local apt key ring as part of the build.

Release engineer setup

The public and private keys should live in your own key ring in ~/.gnupg. If you do not have it, talk to one of the Release Engineers for the key pair and password. To import:

1. Have one of the release engineers export the public and private keys (take care to maintain physical security of the exports!):
   1. gpg --armor --export E6BF09F6
   2. gpg --armor --export-secret-key E6BF09F6
2. Import in your account on bigfe:
   1. gpg --import
   2. gpg --allow-secret-key-import --import

See Trac #984 for details.

Mirroring

1. Fetch the conf directory from SVN
2. Add an Update: field to each repo that you would like to mirror in conf/distributions. For instance, for bccd-v334, you might put in Update: bccd-v334-update
3. Add each repo to conf/updates:

   Name: bccd-v334-update
   Method: http://debmirror.cluster.earlham.edu
   VerifyRelease: blindtrust
   

4. Run reprepro -V update

apt tricks

• Which repo is a package coming from? apt-cache showpkg pkg-name

Troubleshooting

• List all checksums in DB: reprepro _listchecksums
• Forget about a package in the DB (probably want to delete it w/ rm first): reprepro _forget pool/main/i/icu4j-4.2/icu4j-4.2_4.2.1.1.orig.tar.gz
  • Also can grep for that checksum in the lists directory to get a filename

Troubleshooting signing errors

If you get a message like this:

E: Release signed by unknown key (key id B1CE32C942E03786)

Try importing the key to the debian archive keyring:

root@BigFe:~#  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyserver pgpkeys.mit.edu --recv-key B1CE32C942E03786
gpg: requesting key 42E03786 from hkp server pgpkeys.mit.edu
gpg: key 42E03786: public key "Skylar Thompson (CS e-mail) <skylar@cs.earlham.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

If this gives you errors, try using apt-key:

root@bigfe:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
Executing: /tmp/apt-key-gpghome.Uqs75DgWFS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 64481591B98321F9
gpg: key 64481591B98321F9: public key "Squeeze Stable Release Key <debian-release@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Links

• Undocumented features manual