Skip to content

Instantly share code, notes, and snippets.

@tavinus

tavinus/signedDebianRepo.md

Created October 29, 2022 04:30
Show Gist options
  • Save tavinus/f966cb79fc8c378e41c31f709801c123 to your computer and use it in GitHub Desktop.
Save tavinus/f966cb79fc8c378e41c31f709801c123 to your computer and use it in GitHub Desktop.
Download ZIP
Create Signed Debian Repository
Raw
signedDebianRepo.md

Signed Debian Repository

This guide will not go about how to create .deb files or how to configure a webserver.

The basic idea is to add your .deb files to a folder where your webserver will serve.

Then run a script to generate the needed files (Packages, Release, etc).

Idea based on this response on askubuntu.com

Requisites

sudo apt install dpkg-dev gnupg

Script

The only thing that needs to be adjusted is the repository folder in the cd call.

Change /var/www/html/debian to where you are hosting the repo.

#!/bin/bash

cd /var/www/html/debian

# Generate the Packages file
dpkg-scanpackages . /dev/null > Packages
gzip --keep --force -9 Packages

# Generate the Release file
# cat conf/distributions > Release ## this can be ignored
# The Date: field has the same format as the Debian package changelog entries,
# that is, RFC 2822 with time zone +0000
echo -e "Date: `LANG=C date -Ru`" >> Release
# Release must contain MD5 sums of all repository files (in a simple repo just the Packages and Packages.gz files)
echo -e 'MD5Sum:' >> Release
printf ' '$(md5sum Packages.gz | cut --delimiter=' ' --fields=1)' %16d Packages.gz' $(wc --bytes Packages.gz | cut --delimiter=' ' --fields=1) >> Release
printf '\n '$(md5sum Packages | cut --delimiter=' ' --fields=1)' %16d Packages' $(wc --bytes Packages | cut --delimiter=' ' --fields=1) >> Release
# Release must contain SHA256 sums of all repository files (in a simple repo just the Packages and Packages.gz files)
echo -e '\nSHA256:' >> Release
printf ' '$(sha256sum Packages.gz | cut --delimiter=' ' --fields=1)' %16d Packages.gz' $(wc --bytes Packages.gz | cut --delimiter=' ' --fields=1) >> Release
printf '\n '$(sha256sum Packages | cut --delimiter=' ' --fields=1)' %16d Packages' $(wc --bytes Packages | cut --delimiter=' ' --fields=1) >> Release

# Clearsign the Release file (that is, sign it without encrypting it)
gpg --clearsign --digest-algo SHA512 --local-user $USER -o InRelease Release
# Release.gpg only need for older apt versions
# gpg -abs --digest-algo SHA512 --local-user $USER -o Release.gpg Release

Save the script as /usr/sbin/makeRepo

Make it executable chmod +x /usr/sbin/makeRepo

Run the script as the webserver user www-data

sudo -u www-data /usr/sbin/makeRepo

You may run as root, but then you will probably need to chown -R www-data:www-data /var/www/html/debian

This should be enough to get your repository running (without the need for the unsigned flag).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment