Difference between revisions of "Repo debian"

To resolve the "repository is not signed" error, you need to generate a GPG key, use it to sign your repository's Release file, and then add the public key to your host's trusted keys.

Here’s the step-by-step process.

1. Generate a GPG Key

First, generate a GPG key pair on the machine where you build the repository. This key will be used for signing.

1. Run the key generation command:

   gpg --full-generate-key
   

2. Follow the prompts. Reasonable defaults are usually fine:
   • Select (1) RSA and RSA.
   • For key size, enter 4096.
   • Set an expiration period (e.g., 1y for one year) or choose 0 for no expiration.
   • Enter your real name and email address.
   • Enter a secure passphrase.
3. List your keys to find the Key ID. You will need this for the signing script.

   gpg --list-secret-keys --keyid-format=long
   

   The output will look similar to this. Your Key ID is the long string of characters after rsa4096/.

   /home/user/.gnupg/pubring.kbx
   -----------------------------
   sec   rsa4096/A1B2C3D4E5F6G7H8 2025-08-24 [SC] [expires: 2026-08-24]
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   uid                 [ultimate] Your Name <your.email@example.com>
   ssb   rsa4096/1A2B3C4D5E6F7G8H 2025-08-24 [E]
   

   In this example, the Key ID is A1B2C3D4E5F6G7H8.

2. Update Your Repository Script to Sign the Release

Modify your script to sign the Release file using the GPG key you just created. This generates the InRelease and Release.gpg files that APT expects.

Replace YOUR_KEY_ID with the actual Key ID from the previous step.

#!/bin/bash
set -eux
NAME="$1"
GPG_KEY_ID="A1B2C3D4E5F6G7H8" # <-- REPLACE THIS
DEB_FILE="$NAME.deb"
REPO_ROOT="$NAME"
DISTRIBUTION="stable"
COMPONENT="main"
ARCHITECTURE="amd64"
POOL_DIR="${REPO_ROOT}/pool/${COMPONENT}"
DIST_DIR="${REPO_ROOT}/dists/${DISTRIBUTION}"
BINARY_DIR="${DIST_DIR}/${COMPONENT}/binary-${ARCHITECTURE}"

mkdir -p "${POOL_DIR}"
cp "${DEB_FILE}" "${POOL_DIR}/"

pushd "${REPO_ROOT}" > /dev/null

mkdir -p "${BINARY_DIR}"

apt-ftparchive packages "pool" > "${BINARY_DIR}/Packages"
gzip -9c "${BINARY_DIR}/Packages" > "${BINARY_DIR}/Packages.gz"

apt-ftparchive release "${DIST_DIR}" > "${DIST_DIR}/Release"

gpg --default-key "${GPG_KEY_ID}" -abs -o "${DIST_DIR}/Release.gpg" "${DIST_DIR}/Release"
gpg --default-key "${GPG_KEY_ID}" --clearsign -o "${DIST_DIR}/InRelease" "${DIST_DIR}/Release"

popd > /dev/null

Now, when you run this script, it will create the necessary signature files in your repository directory.

3. Make the Public Key Available

Export the public part of your GPG key so client machines can download and trust it.

1. Export the key to a file. Replace YOUR_KEY_ID with your Key ID. bash gpg --armor --export YOUR_KEY_ID > public.key
2. Copy this public.key file to your web server so it's downloadable. A good location would be the root of your repository. For example: http://repo.example.com/uctl-agent/public.key.

4. Configure Client Hosts

On each machine that uses this repository, you need to download the public key and update the sources.list entry.

1. Download the public key and store it in the APT keyrings directory.

   sudo mkdir -p /etc/apt/keyrings
   curl -fsSL http://repo.example.com/uctl-agent/public.key | sudo gpg --dearmor -o /etc/apt/keyrings/uctl-agent.gpg
   

2. Modify your /etc/apt/sources.list.d/uctl-agent.list file to tell APT where to find the key for this specific repository using the signed-by option.

   deb [arch=amd64 signed-by=/etc/apt/keyrings/uctl-agent.gpg] http://repo.example.com/uctl-agent/1.0/ubuntu stable main
   

3. Finally, run apt update. The error should now be gone.

   sudo apt update