f

February 9, 2016

Create and Manage a GPG Authenticated APT Repository [Linux]


This tutorial demonstrates how to easily create and manage an APT repository which uses GPG authentication. This is Debian/Ubuntu specific but can be easily adapted for other Linux distributions. The repository can then be published by setting up an HTTP server or by syncing it to Amazon S3, Sourceforge, and other hosting services.

I used the following page from the Debian Wiki for reference, you may find it helpful if you intend to set up an Apache web server for your repository.
https://wiki.debian.org/SettingUpSignedAptRepositoryWithReprepro


[A1] Installing Necessary Utilities
Utilities that will be used for creating and managing repositories include:
  • gnupg
  • reprepro
Install them using the following command:
sudo apt-get install gnupg reprepro

[A2] Creating a New GPG Authentication Key
Run the following command to create a new GPG key. Follow the instructions and chose your desired settings. Take note of the username, email and password you chose, you will need them later.
sudo gpg --gen-key

[A3] Export Secret GPG Key.
Save this in a safe place and preferably in more than one location. If lost you will no longer be able to manage your repository. Replace the [pink] text with your options.
sudo gpg --export-secret-key -a "[username]" > [desired directory to save key]/secret.key.gpg

[A4] Create Repository Directory Tree 1/2
  1. Create a directory you wish to be the root of the repository.
  2. Create a new directory named " conf " inside the root directory of your repo which you just created.

[A5] Export Public GPG Key to Repository.
Export the public GPG key to your repository so users will be able to download and install it. You should make this easy to install either with a download link or a "wget + apt-key add" command. Users of your repository will need this to install packages with authentication. You can still force packages to install with out the GPG authentication key but I do not recommend this.
sudo gpg --armor --export [username] [email address] >> [path to root of repo]/key/[name your key].deb.key.gpg   

[A6] Create the "Distributions" File
  1. Inside the " conf " directory, create a new blank file, name it " distributions " and open it with the text editor of your choice. 
  2. Now you will set the dist options for your repository. Below is an example of  how to format a distributions file for a repository that contains packages for 2 distributions. Replace the pink text with your desired options, the blue text can be left as is in most situations. Exclude the grey text from the distributions file. Then save the file. 
Origin: your alias or project name
Label: project name
Suite: stable
Codename: distro1 (example, "Trusty" for Ubuntu 14.04 Trusty Tahr)
Version: version # of distro1 (example, "14.04" for Ubuntu 14.04 Trusty Tahr)
Architectures: i386 amd64 (may vary depending on platform, for example "iphoneos-arm")
Components: main
Description: description of repo or project
SignWith: yes

Origin: your alias or project name
Label: project name
Suite: stable
Codename: distro2 (example, "Wily" for Ubuntu 15.10 Wily Werewolf)
Version: version # of distro2 (example, "15.10" for Ubuntu 15.10 Wily Werewolf)
Architectures: i386 amd64 (may vary depending on platform, for example "iphoneos-arm")
Components: main
Description: description of repo or project
SignWith: yes
You can download the "distributions" file I made for my ShionOS repository for reference using the link below:

ShionOS Repository Distributions File

[A7] Create Repository Directory Tree 2/2
Now you need to use reprepro to generate the rest of the directory tree based on the distributions file you just created. To to this, run the following command.
sudo reprepro --ask-passphrase -Vb [path to root of repo] export

[A8] Adding Packages
To add a package to your repository use the following commands. 
cd [path to root of repo]
sudo reprepro --ask-passphrase -Vb . includedeb [dist codename] [path to package]/[package filename].deb   

[A9] Removing Packages
Before updating or replacing a package it will first need to be removed from the repository. You can do this with the following command. 
sudo reprepro --ask-passphrase -Vb [path to root of repo] remove [dist codename] [package name]



[B1] Install Public GPG key 
Users of the repository will need to do this in order to successfully authenticate packages.
sudo apt-key add [path to public key]/[public key filename]

[B2] Install Secret GPG key 
The secret GPG key will need to be installed on any system you wish to manage your APT repository from.
sudo gpg --import [path to key]/[key filename]

Comments are encouraged, but before commenting, please read 'readme.txt' first.


Home readme.txt The Archive