bob's tech ramblings

where i ramble about technical things

Entries tagged "apt".

22nd May 2008

So recently I've backported[1] a couple of debian packages and needed somewhere to serve them from. The current work apt repo scares me so I followed Dean's useful guide to setting one up instead. It worked very nicely and wasn't pain.

[1] post to come hopefully


7th August 2009

So you've set up a apt repository following dean's excellant instructions and youve tried to install a package and got the following warning

WARNING: The following packages cannot be authenticated!

At this point you have several choices:-

  • press yes and carry on.(not that useful if youre using puppet to install stuff)
  • echo "APT::Get::AllowUnauthenticated 1;" >> /etc/apt/apt.conf.d/99unauth
  • Set up a secure repository

Lets go with setting up a secure repository.

  • Make yourself a gpg key - gpg --gen-key
  • Export your public key to a file - gpg --armor --export $keyid >public.key. You will need this later
  • Create an apt-release.conf containing APT::FTPArchive::Release::Suite "etch";(Im behind and should have written this post a year ago) in your repository base.
  • Generate a release file - apt-ftparchive -c apt-release.conf release dists/etch/ > dists/etch/Release
  • Create a signed version - gpg --sign -ba -o dists/etch/Release.gpg dists/etch/Release
Your repository is now secure. Now you need to tell your machines about your key or apt-get will emit
W: GPG error: http://debianrepo etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY $KEYID
To do this manually you can take the public.key you generated earlier and copy it to your machines and then run apt-key add public.key

Of course in this day and age doing things like that for all your machines would be tedious so I use puppet with a class something like the following.

class aptkey {

  file { "/etc/apt/public.key":
    mode   => 440,
    owner  => root,
    group  => root,
    source => [
        "puppet://puppet/host/public.key",
        "puppet://puppet/files/public.key"
        ],
  }
  exec { "install-key":
     command => "/usr/bin/apt-key add /etc/apt/public.key",
     require => File["/etc/apt/public.key"],
     unless  => "/usr/bin/apt-key list | /bin/grep -q 'firstname.lastname'";
  }
  exec { "key-update":
     command => "/usr/bin/apt-get update",
     require => Exec["install-key"],
  }
}
Tags: apt, debian, debs, signed.