Setting up a Signed apt repo
7th August 2009
So you've set up a apt repository following dean's excellant instructions and youve tried to install a package and got the following warning
WARNING: The following packages cannot be authenticated!
At this point you have several choices:-
- press yes and carry on.(not that useful if youre using puppet to install stuff)
echo "APT::Get::AllowUnauthenticated 1;" >> /etc/apt/apt.conf.d/99unauth- Set up a secure repository
Lets go with setting up a secure repository.
- Make yourself a gpg key -
gpg --gen-key - Export your public key to a file -
gpg --armor --export $keyid >public.key. You will need this later - Create an apt-release.conf containing
APT::FTPArchive::Release::Suite "etch";(Im behind and should have written this post a year ago) in your repository base. - Generate a release file -
apt-ftparchive -c apt-release.conf release dists/etch/ > dists/etch/Release - Create a signed version -
gpg --sign -ba -o dists/etch/Release.gpg dists/etch/Release
W: GPG error: http://debianrepo etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY $KEYIDTo do this manually you can take the public.key you generated earlier and copy it to your machines and then run
apt-key add public.key
Of course in this day and age doing things like that for all your machines would be tedious so I use puppet with a class something like the following.
class aptkey {
file { "/etc/apt/public.key":
mode => 440,
owner => root,
group => root,
source => [
"puppet://puppet/host/public.key",
"puppet://puppet/files/public.key"
],
}
exec { "install-key":
command => "/usr/bin/apt-key add /etc/apt/public.key",
require => File["/etc/apt/public.key"],
unless => "/usr/bin/apt-key list | /bin/grep -q 'firstname.lastname'";
}
exec { "key-update":
command => "/usr/bin/apt-get update",
require => Exec["install-key"],
}
}