Thursday, June 19, 2014

How to create a digitally signed repository apt yum from ubuntu debian

I needed to distribute some software so I dived into the repository creation which turn to be quite easy.
What you are going to need:
-reprepro package 
-root access
-apache webserver (even on a different machine)

APT steps 


 install reprepro 
#apt-get install reprepro

 The reprepro package is a tool for creating an APT repository with a pool structure, the same type of structure the official Debian mirrors use.

 The repository may:
Contain packages for multiple distributions: Stable, Unstable, Testing, etc.

 Contain packages for multiple architectures: x86, sparc, all, etc.


create a key to sign packages

 #gpg --gen-key
follow the instructions on screen

 check the key 
#gpg --list-keys

#pub   2048R/E3FDDB0E 2014-06-11
#uid                  Alex Barchiesi
#sub   2048R/4C4D64ED 2014-06-11

 export the key

 gpg --armor  --output Release.key --export <key id>

 put it in the repository

 export the private key and keep it safe
gpg --armor --output /tmp/Release_priv.key --export-secret-keys

 ##### in case you need to move things somewhere else you can import keys: 
gpg --allow-secret-key-import --import /tmp/Release_priv.key


Create Your APT Repository, sign and publish it 

Almost certainly you will wish to serve your repository via a webserver, so the location should be beneath your webservers root directory at a simple path.

 First of all create the directory, a subdirectory conf/ to contain the configuration file, and a directory incoming/ to which we'll  setup automatic upload processing sometime later (in another post):
distro="debian"
sudo -u www-data mkdir -p /var/www/repos/apt/$distro
sudo -u www-data mkdir -p /var/www/repos/apt/$distro/conf
sudo -u www-data mkdir -p /var/www/repos/apt/$distro/incoming

 [...]

 Now that we have a directory to contain our repository we can look at creating the configuration file. The configuration file will specify which releases the repository will contain (sid, stable, etc) as well as the architectures. A sample configuration file will look like this:

 Origin: Alex Barchiesi
Label: your label
Suite: stable
Codename: or or or...
Version: 1.5.4
Architectures: i386 amd64
Components: main
Description:garrbox the personal cloud storage for research communities

 repeat the block as many times as needed

 Save your configuration to the file conf/distributions and you should now be ready to import a package.

 You can either import a .deb file into the repository, or a .changes file which is produced by building a package from source.

 From the main directory run (the --ask-passphrase is needed to digitally sign the packages with the previously created/imported key - the password that you choosed will be asked as a verification):

 #reprepro --ask-passphrase -Vb . includedeb saucy *.deb 


webserver apache config 
You can use any webserver, I choosed apache because I already had it working.

(optional) Deny  web access to the configuration directories and grant the indexing in the repository

 #/etc/apache2/conf.d/repos 

        # We want the user to be able to browse the directory manually
        Options Indexes FollowSymLinks Multiviews
        Order allow,deny
        Allow from all


 # This syntax supports several repositories, e.g. one for Debian, one for Ubuntu.
# Replace * with debian, if you intend to support one distribution only.

Order allow,deny
Deny from all
Order allow,deny
Deny from all
Order allow,deny
Deny from all

########################################################

 restart httpd or apache process and you are online.

 You can also create a .list file for the clients to download.

 client side 

The following is needed to use the repository from the client side:

 ###first add key to apt 
wget -qO - http://localhost/apt/debian/Release.key | sudo apt-key add -

 ####check key
# apt-key list 
pub   2048R/9A31D871 2014-06-12
uid                   (LX software)
sub   2048R/E7634BBB 2014-06-12

 ######add source list file for apt 
echo "deb http:///apt/debian main" >>/etc/apt/sources.list.d/LX.list

 ###check package 
apt-cache showpkg




yum steps



Creating a Yum repository is easier than an apt one


sign the rpms
(follow the steps create a key to sign packages to generate a key)

export the public key

gpg --armor --output signature.asc -export

You need to go through all your rpm to sign them and

rpm --addsign *.rpm


create and publish the repository
Install the createrepo RPM if not present

Create a directory to hold the repository:

# mkdir -p /usr/share/repotest

Navigate to that directory:

# cd /usr/share/repotest

Use the command createrepo :

# createrepo
move the directory in the proper webserver location (ref to the apt part on how to configure the webserver)

Clear yum:

# yum clean all
Create a file /etc/yum.repos.d/file.repo :

# cat /etc/yum.repos.d/file.repo

[your repository name]
name=
baseurl=http:///yum//$releasever/$basearch/ 
enabled=1 
gpgcheck=1 
gpgkey=http:///yum/signature.asc


If the repository directory is already created, the option -d can be used to place metadata and pre-built sqlite databases in that directory which will allow the user to install and update rpms and dependencies.

# createrepo -d /path/to/RPMS


Client side:
you can make the .repo available for downloads for the clients so that they can put in /etc/yum.repos.d/file.repo and use the usual commands


Show package list:

# yum list

Install desire packages:

# yum install 








Hope you enjoy distributing your soft from now on.

If you find it useful or if you have comments/suggestions please drop a line into the comments







Alex














Posted by



at






































2 comments:































        

      









Subscribe to:
Post Comments (Atom)