Create your repository deb-package

We learned how to build packages and sign them. Now is the time to make your repository with the packages.

In fact, there are 3 ways (more or less “legal”) of the process to collect your repository: dpkg-scanpackages, mini-dinstall and reprepo. dpkg-scanpackages – Tulsa is a fairly simple, but requires a lot of manual work. Though I write about it, but use it on a commercial scale is not necessary. With reprepo I especially did not understand – the official records too old and far from sanity. So basically here it is written about mini-dinstall.

dpkg-scanpackages – utility that indexes the directory and creates a file for him Packages. Tools that can be used as a temporary local changes (for example, to verify that the package will be put through apt-get), but do not use it where it is important signature verification package – dpkg-scanpackages itself simply do not know how (although You can name the repository and legs).

Himself dpkg-scanpackages lives in package dpkg-dev, so that:
root @ server: ~ # apt-get install dpkg-dev

Imagine that our packages in the past article we are going in the / home / user / packages:
user @ server: ~ $ ls / home / user / packages example-package_0.3_amd64.changes example-package_0.3_amd64.deb

Then we generate Packages.gz follows:
user @ server: ~ $ dpkg-scanpackages -t deb / home / user / packages / | gzip | cat> /home/user/packages/Packages.gz

A sources.list.d add line “deb file: / home / user / packages /”:
root @ server: ~ # echo “deb file: / home / user / packages /”> /etc/apt/sources.list.d/my-own-repo.list

Check that the repository works:
root @ server: ~ # apt-get update; apt-cache policy example-package

Installed: (none)
Candidate: 0.3
Version table:
0.3 0
500 file: / home / inkvizitor68sl / Packages

So in its simplest form is running and mini-dinstall – generate Packages.gz. But he knows how to verify package signatures, to work on the crown / daemon and other buns.

Have fun, that’s enough. Let’s put a mini-dinstall and other software that is useful:
root @ server: ~ # apt-get install mini-dinstall debian-keyring gnupg acl

Then all I’ll paint on the basis of that to fill the packages to the repository will be a few users. Of course, you can use dput and do everything under one user, but if you have half the developer – that such an option you do not want and will want to provide an opportunity to fill the packages with signatures of different developers. Therefore, we will create a single user and a single gpg-key, which will sign the repository. A package signatures will be checked before you add them to the repository.
Mini-dinstall no need to run as root (if you run it as root – we do not have to type the whole team for the issuance of additional rights to the catalog of charges against incoming, gee). Create individual user:
root @ server: ~ # adduser repokeeper

Come by this user:
root @ server: ~ # su repokeeper

Create daddy, where we put our repository:
repokeeper @ server: ~ $ mkdir / home / repokeeper / repo /

We write our configuration /home/repokeeper/.mini-dinstall.conf sobiralki repositories:
archivedir = / home / repokeeper / repo /
mail_to =
verify_sigs = true
architectures = all, amd64, i386
archive_style = flat
generate_release = true
mail_on_success = true
release_codename = SomeShit
release_description = My Own Repo
release_label = someshit
release_origin = someshit
release_suite = None
extra_keyrings = ~ / .gnupg / pubring.gpg
release_signscript = ~ /
incoming_permissions = 0
chown_changes_files = false

Generating keys the familiar command:
repokeeper @ server: ~ $ LANG = C gpg –gen-key

What is there to answer is already written, it is necessary only to observe that we need is a new key, not the key with the same answers. Well, there is the nickname and e-mail to change the standards.

Create a directory of keys, which to start putting our public key repository. There we store the public keys of our developers (myself to begin with).
repokeeper @ server: ~ $ mkdir / home / repokeeper / keys

First, we export the public key repository. Under the user-repokeeper do this:
repokeeper @ server: ~ $ gpg –export –armor> ~ / keys / repo.key

Where – mail, which we used to generate the key for the user repokeeper.

Just export the key with which we sign packages and “add it” to the codes and keys for repokeeper (thus allowing to fill packages signed by the key). Under the user from under which we collect packages, run the command:
user @ server: ~ $ gpg –export –armor> ~ / inkvizitor68sl.gpg

(Remember that your e-mail I used in the previous example)
File inkvizitor68sl.gpg we need to throw in the directory / home / repokeeper / keys on the server where you will run mini-dinstall. On the rights to the files can not worry too much (after all, is a public signature – having it worse than you did not).

Now, under the user repokeeper import key “developer”:
repokeeper @ server: ~ $ gpg –no-default-keyring –ignore-time-conflict –keyring .gnupg / pubring.gpg –import ~ / keys / inkvizitor68sl.gpg

So do we need a script that will run for signing the collected repository. A suitable script is in the documentation to the mini-dinstall, utaschim it yourself:
repokeeper @ server: ~ $ cp /usr/share/doc/mini-dinstall/examples/ ~ /

A little tweak to suit your needs:
repokeeper @ server: ~ $ sed -i ‘s / export GNUPGHOME =. * / export GNUPGHOME = ~ \ /. gnupg /’

The file ~ / .gnupg / passphrase you need to write your password on the GPG key that we have generated for the repository.

Since we run mini-dinstall than root, we need the right to correct its incoming-directory. With chmod / chown reliably achieve we did not get (the developers certainly will fill with such rights, that the mini-dinstall not have permission to delete files filled – and it will fall in error), therefore, make it through the chattr:
root @ server: ~ # setfacl -R –modify user: repokeeper: rwx / home / repokeeper / repo /
root @ server: ~ # setfacl -R –modify group: repokeeper: rwx / home / repokeeper / repo /
root @ server: ~ # setfacl -R –modify default: user: repokeeper: rwx / home / repokeeper /
root @ server: ~ # setfacl -R –modify default: group: repokeeper: rwx / home / repokeeper /

And also create a group, the presence of which would allow the system user to fill packets to the server (as root):
root @ server: ~ # addgroup repouploaders

And put right those users to the list of incoming:
root @ server: ~ # setfacl -R –modify group: repouploaders: rwx / home / repokeeper / repo / mini-dinstall / incoming /
root @ server: ~ # setfacl -R –modify default: group: repouploaders: rwx / home / repokeeper / repo / mini-dinstall / incoming /

And add the user who collect packages uploader group. To be more precise, add the user to whom we want to give rights to flooding files in the repository. This may be a developer account, which will be poured packages sftp / scp through dupload.
root @ server: ~ # usermod -a -G repouploaders user

At the same time ban on the road to fill the rest of the files:
root @ server: ~ # chmod 0700 / home / repokeeper / repo / mini-dinstall / incoming /

“Fill the” assembled before our bag in the repository. Now we do it with a simple cp, in the future I will write about how to use dupload.
repokeeper @ server: ~ $ cp /home/user/packages/example-package_0.3_amd64.deb / home / repokeeper / repo / mini-dinstall / incoming /
repokeeper @ server: ~ $ cp /home/user/packages/example-package_0.3_amd64.changes / home / repokeeper / repo / mini-dinstall / incoming /

Finally, we start assembling our repository (note, not as root):
repokeeper @ server: ~ $ mini-dinstall -b -v

If the error is not visible, check the contents of the file Packages:
repokeeper @ server: ~ $ cat ~ / repo / unstable / Packages | grep Package
Package: example-package

As you can see, we had our repository example-package. Let’s try to put it.
To begin connect the repository locally:
root @ server: ~ # echo “deb file: / home / repokeeper / repo / unstable /”> /etc/apt/sources.list.d/my-own-repo.list; apt-get update

Check that the package appeared in the index apt’a:
root @ server: ~ # apt-cache policy example-package
Installed: (none)
Candidate: 0.3
Version table:
0.3 0
500 file: / home / repokeeper / repo / unstable / Packages

Try to put it:
root @ server: ~ # apt-get install example-package

Install these packages without verification [y / N]?

FIG us, as they say. apt thinks untrusted packages. Well, we were wrong tormented with signatures)? Feed our public key repository our local apt-in:
root @ server: ~ # cat /home/repokeeper/keys/repo.key | apt-key add –

Apt-update the index and, as usual:
root @ server: ~ # apt-get update

We try to deliver the package:
root @ server: ~ # apt-get install example-package

Voila. I put in silence and made us an empty /root/.ssh/authorized_keys, for I am a lazy ass and collected the same package with a blank file)

Now we can throw the files in the repo / mini-dinstall / incoming and when we need to rebuild the repository command as root
root @ server: ~ # su -c “mini-dinstall -b -v” repokeeper

or just the user repokeeper
repokeeper @ server: ~ $ mini-dinstall -b -v

Next we will learn how to use upload, run mini-dinstall for crown and a demon. And also do not forget to share the repository via http and https. And then we move on to all sorts of amusing useful in dpkg.