注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

红烧鱼

linux & windows management

 
 
 

日志

 
 
关于我
mac

专注IT基础架构设计与运维。 欢迎给我留言,或邮件沟通zjwsk@163.com

网易考拉推荐

create a local apt repository for ubuntu 16.04 (xenial)  

2016-12-30 21:06:59|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
ubuntu 16.04 (xenial) 在将本地deb软件包创建repo时候,跟14.04以前的版本相比,需要使用到Release文件,且强制要求gpg对Release文件签名,否则无法使用:

W: The repository 'file:/opt/xenial ./ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
-- Setting the configuration option Acquire::AllowInsecureRepositories to false
-- Create a toplevel Release file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils).

# 需要使用Release 文件, 好不容易找到方法创建后(apt-ftparchive release ./ > Release),又来个下面的提示:

W: The repository 'file:/opt/xenial ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


这时候, GPG (https://gnupg.org/) 软件登场了。

1.1 GPG 创建的密匙,可供加密文件及签名文件使用, 也可创建专供签名文件使用的密匙。  例如:

# gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Ubuntu Local Archive Automatic Signing Key
Email address: mac@ispc.cn
Comment: 2016
You selected this USER-ID:
    "Ubuntu Local Archive Automatic Signing Key (2016) <mac@ispc.cn>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

gpg: key 1EA07CEB marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/1EA07CEB 2016-12-30
      Key fingerprint = 3C08 2129 543C 9598 2CDA  E667 3866 371D 1EA0 7CEB
uid                  Ubuntu Local Archive Automatic Signing Key (2016) <mac@ispc.cn>

Note that this key cannot be used for encryption.  You may want to use the command "--edit-key" to generate a subkey for this purpose.

1.2 导出gpg公钥,并放到可下载的地方,比如某个web 
# gpg --list-key  (用来查询密钥ID)
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/1EA07CEB 2016-12-30
uid                  Ubuntu Local Archive Automatic Signing Key (2016) <mac@ispc.cn>

# gpg -a --export 1EA07CEB > Ubuntu_Local_Archive_Automatic_Signing_Key_2016.public

私钥也可导出,请妥善保存。
# gpg -a --export-secret-keys 1EA07CEB > Ubuntu_Local_Archive_Automatic_Signing_Key_2016.private

2. 创建Package file
# rm -f Packages.gz Packages
# apt-ftparchive packages . | gzip -9c > Packages.gz
# gunzip -k Packages.gz

使用下面这种internet上常见的方式(https://help.ubuntu.com/community/Repositories/Personal),必须先安装dpkg-dev软件包, 与使用apt-ftparchive 方式,可一样达到目的,但apt-ftparchive是系统默认已经安装的软件包(provided in apt-utils),不需要再安装,看个人喜好吧。
# dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

3. 创建release file
# apt-ftparchive release ./ > Release

4. 对release file签名
# gpg -abs --default-key 1EA07CEB -o Release.gpg Release

### 以下在需要使用到该软件包源的ubuntu上执行
5. 修改ubuntu client sources.list
# echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list

6. 下载并导入给release file 签名的公钥
# wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2016.public
# apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2016.public

7. 可以使用了
# apt-get udpate
...
Reading package lists... Done
W: http://10.245.254.93/linux/ubuntu/updates/xenial/./Release.gpg: Signature by key 3C082129543C95982CDAE6673866371D1EA07CEB uses weak digest algorithm (SHA1)



-----------------------------
8. 脚本方式使用

#8.1 for Server site
wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2016.private
gpg --import Ubuntu_Local_Archive_Automatic_Signing_Key_2016.private

mkdir /opt/xenial
cp -rp /var/cache/apt/archives /opt/xenial

cd /opt/xenial
rm -rf Packages.gz Packages archives/lock archives/partial
apt-ftparchive packages . | gzip -9c > Packages.gz
gunzip -k Packages.gz
apt-ftparchive release ./ > Release
gpg -abs --default-key 1EA07CEB --passphrase abc123 -o Release.gpg Release

# use for Local check
echo "deb [arch=amd64] file:///opt/xenial ./" >> /etc/apt/sources.list
apt-get update


#8.2 for Client site
echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list
wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2016.public
apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2016.public
apt-get update
  评论这张
 
阅读(20)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017