Creating and using your own deb repository (not mirroring)

  • Tutorial

Intro

Tested on the following configuration:
Server: ubuntu 20.04
Clients: ubuntu 16.04, 18.04, 20.04

It doesn’t require a lot of software to create it.

  • web server with directory listing ( I use lighttpd)

  • packages: gpg(for signs), dpkg-dev

  • rng-tools (highly recommended)

Repo URL: http://192.168.56.48/repo/ (it is preferable to use DNS)
Repo directory on the server : /var/www/html/repo/
Deb-packages directory: /var/www/html/repo/deb-packages
Repo generation script: /usr/bin/update-repo.sh

Server preparation

Main steps:

  • web server installation

  • gpg-key generation

  • creating script for repo generation

  • repo creation

Gpg-key generation notes

GPG needs entropy for key generation. These operations can be very time-consuming, but they can be sped up with rng-tools packages. Use the next command for ubuntu:

sudo apt-get update
sudo apt-get install -y rng-tools

Web server configuration

Now you need to install lighttpd and enable dir-listing on it:

# install package
apt-get install lighttpd
# enable directory listing
echo 'server.dir-listing = "enable"' > /etc/lighttpd/conf-enabled/dir-listing.conf
# start lighhttpd and enable autostrt
systemctl restart lighttpd
systemctl enable lighttpd
# create dir for repo
mkdir -p /var/www/html/repo/deb-packages/

Now you should put your deb-packages in /var/www/html/repo/deb-packages/

GPG-keys

I will use self-signed keys, but you should use your company’s PKI-infrastructure (if available). Check if you already have the keys:

root@repo:~# gpg --list-keys
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

Now you can see that there are no keys available. First, we’ll create keys-generation script. You should use the proper values for your repo:

cat >~/.gnupg/aptRepo <<EOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 3072
Subkey-Type: ELG-E
Subkey-Length: 3072
Name-Real: apt tech user
Name-Comment: without passphrase
Name-Email: apt@email.non
Expire-Date: 0
%echo done
EOF

Now create the keys. This may take some time. Do not set a password for the keys since you’ll need to enter it every time the repo is updated:

root@repo:~# gpg --batch --gen-key ~/.gnupg/aptRepo
gpg: Generating a basic OpenPGP key
gpg: done
gpg: key 16B7C8484EC3AC5F marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F.rev'

Check the keys availability:

root@repo:~# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
pub   rsa3072 2021-02-07 [SCEA]
      D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F
uid           [ultimate] apt tech user (without passphrase) <apt@email.non>
sub   elg3072 2021-02-07 [E]

OK, now you need to export keys to the file:

gpg --export -a D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F > /var/www/html/repo/boozlachuRepo.gpg
It's time to write a repo-creation script. I used the following variables
    • updatescript=/usr/bin/update-repo.sh - path to this script
    • repodir=/var/www/html/repo - path to the repo
    • gpgKey="D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F" - gpg-key ID
updatescript=/usr/bin/update-repo.sh
cat <<'EOFSH' >${updatescript}
#!/bin/sh

# working directory
repodir=/var/www/html/repo/
# GPG key
gpgKey="D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F"
cd ${repodir}
# create the package index
dpkg-scanpackages -m . > Packages
cat Packages | gzip -9c > Packages.gz
# create the Release file
PKGS=$(wc -c Packages)
PKGS_GZ=$(wc -c Packages.gz)
cat <<EOF > Release
Architectures: all
Date: $(date -R -u)
MD5Sum:
 $(md5sum Packages  | cut -d" " -f1) $PKGS
 $(md5sum Packages.gz  | cut -d" " -f1) $PKGS_GZ
SHA1:
 $(sha1sum Packages  | cut -d" " -f1) $PKGS
 $(sha1sum Packages.gz  | cut -d" " -f1) $PKGS_GZ
SHA256:
 $(sha256sum Packages | cut -d" " -f1) $PKGS
 $(sha256sum Packages.gz | cut -d" " -f1) $PKGS_GZ
EOF
gpg --yes -u $gpgKey --sign -bao Release.gpg Release
EOFSH
chmod 755 ${updatescript}

Don't forget to install the dpkg-scanpackages util:

apt-get install dpkg-dev

Repo creation/update

Required steps for creation/update:

  • add your deb-packages to /var/www/html/repo/deb-packages

  • run the creation script /usr/bin/update-repo.sh

Script output example (for a single package):

/usr/bin/update-repo.sh
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.

Clients setup

First, add your repo to the apt source lists:

wget -O -  http://192.168.56.48/repo/boozlachuRepo.gpg | sudo apt-key add -
echo 'deb http://192.168.56.48/repo/ ./ ' >  /etc/apt/sources.list.d/boozlachuRepo.list
apt-get update

You can now use this repo on clients:

root@alexey-VirtualBox:~# apt-cache search testpackage
testpackage - simple testpackage for demo

My test package is now available for installation.

Similar posts

Ads
AdBlock has stolen the banner, but banners are not teeth — they will be back

More

Comments 2

    0

    Was looking for an end-to-end guide. Great job, thanks! Is it necessary to update the whole repo when a new package is added?

      0
      Thanks!
      Yes, you must run update-repo.sh for meta-file generation (Packages, Packages.gz and signs)

    Only users with full accounts can post comments. Log in, please.