Rope on Fire: Secure Apt Repository Howto

After a good bit of googling and poking around, I completed the setup of our secure apt repository here at nvizn.

Here's how you'd do it for an Ubuntu intrepid repository.

First, setup a directory tree that looks like this:

mkdir -p /var/www/packages/dists/intrepid/main/binary-i386/
mkdir -p /var/www/packages/intrepid/main

Then, install apt-ftparchive, which will do most of the heavy lifting.

apt-get install apt-ftparchive

Now, drop all your .debs into /var/www/packages/intrepid/main/ and create an apt-ftparchive configuration file at /etc/archive.config

Here's what mine looks like:

Dir {
  ArchiveDir "/var/www/packages";
  CacheDir "/home/joel.reed/uploads/";
};

Default {
  Packages::Compress ". gzip bzip2";
  Sources::Compress ". gzip bzip2";
  Contents::Compress ". gzip bzip2";
};

APT::FTPArchive::Release::Codename "intrepid";
APT::FTPArchive::Release::Suite "intrepid";
APT::FTPArchive::Release::Origin "Joel W. Reed";

TreeDefault {
  BinCacheDB "packages-$(SECTION)-$(ARCH).db";
  Directory "intrepid/$(SECTION)";
  Packages "$(DIST)/$(SECTION)/binary-$(ARCH)/Packages";
  SrcDirectory "intrepid/$(SECTION)";
  Sources "$(DIST)/$(SECTION)/source/Sources";
  Contents "$(DIST)/Contents-$(ARCH)";
};

Tree "dists/intrepid" {
   Sections "main";
   Architectures "i386";
}

Finally, run this sequence of commands:

apt-ftparchive generate /etc/archive.config
cd /var/www/packages/dists/intrepid/
apt-ftparchive -c /etc/archive.config release . > Release
rm -v Release.gpg
gpg -v --output Release.gpg -ba Release

When you're done, you'll end up with a /var/www/packages tree that looks something like this:

/var/www/packages/dists/intrepid
/var/www/packages/dists/intrepid/main
/var/www/packages/dists/intrepid/main/binary-i386
/var/www/packages/dists/intrepid/main/binary-i386/Packages.gz
/var/www/packages/dists/intrepid/main/binary-i386/Packages.bz2
/var/www/packages/dists/intrepid/main/binary-i386/Packages
/var/www/packages/dists/intrepid/Contents-i386
/var/www/packages/dists/intrepid/Release
/var/www/packages/dists/intrepid/Release.gpg
/var/www/packages/dists/intrepid/Contents-i386.gz
/var/www/packages/dists/intrepid/Contents-i386.bz2
/var/www/packages/intrepid
/var/www/packages/intrepid/main
/var/www/packages/intrepid/main/alfresco-r3184-0.3.1.deb
/var/www/packages/intrepid/main/nvizn-base-0.3.6.deb
/var/www/packages/intrepid/main/libnss-cache_0.1-1_i386.deb
/var/www/packages/intrepid/main/nsscache_0.8.4.1_all.deb
/var/www/packages/intrepid/main/stratus-desktop-0.2.deb
/var/www/packages/intrepid/main/packages-main-i386.db
/var/www/packages/intrepid/main/jsetup_0.5.1_all.deb

Now, to make all this work, you need to have a gpg key of course, and apache set to serve up /var/www/packages, and all client machines need the public key. To do that with a key on a keyserver, do something like

gpg --recv-keys B1850655 && gpg --export B1850655 | apt-key add -

Hope this is helpful to you!

Rope on Fire

Thursday, October 16, 2008

Secure Apt Repository Howto

No comments:

Blog Archive

About Me