Bug 29434 - Secure APT für lokales Repository aktivieren
Secure APT für lokales Repository aktivieren
Status: NEW
Product: UCS extended documentation
Classification: Unclassified
Component: Computer management
All Linux
: P5 enhancement (vote)
: ---
Assigned To: Docu maintainers
: 41250 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2012-11-28 12:56 CET by Philipp Hahn
Modified: 2017-08-22 15:47 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Further conceptual development
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2012-11-28 12:56:17 CET
+++ This bug was initially created as a clone of Bug #26669 +++
Weil ich es gerade für den Updater-Test gebraucht habe, habe ich das mal eben dokumentiert. Ggf. ein Kandidat für die erweiterte Dokumentation oder das Wiki.
Folgendermaßen kann man selber sein sicheres APT-Repository aufsetzen:

# Einmalig auf dem Repository-Server einen Schlüssel generieren
(umask 0077 ; makepasswd --chars 16 >/root/apt.pwd)
gpg --gen-key --status-fd 3 --batch 3>/root/apt.fpr <<__EOF__
%echo Generating key for APT
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Passphrase: $(</root/apt.pwd)
Name-Real: Local APT Mirror
Name-Email: apt-mirror@univention.de
Expire-Date: 365d
Handle: apt
%pubring /root/apt.pub
%secring /root/apt.sec
%echo done

# Einmalig Skript einbinden, daß nach jedem Mirror-Sync die Release-Dateien neu generiert und signiert
cat >/var/lib/univention-repository/var/postmirror.sh <<'__EOF__'
set -e
if [ -z "$1" ]
    cd /var/lib/univention-repository/mirror
    find ?.?/*maintained/?.?-? ?.?/*maintained/component/* \( -name all -o -name amd64 -o -name i386 \) -execdir "$0" {} \;
    exit $?
    cd "$1"
    rm -f Release*
    apt-ftparchive \
        -o "APT::FTPArchive::Release::Origin=Univention" \
        -o "APT::FTPArchive::Release::Label=Univention" \
        -o "APT::FTPArchive::Release::Version=$BASE" \
        -o "APT::FTPArchive::Release::Codename=$BASE/$1" \
        release . >Release.tmp
    mv Release.tmp Release
    KEYID=$(sed -ne 's/.* KEY_CREATED P \([0-9A-F]\+\) apt$/\1/p' /root/apt.fpr)
    gpg --no-default-keyring --no-use-agent \
        --secret-keyring /root/apt.sec --keyring /root/apt.pub \
        --local-user "$KEYID" --passphrase-file /root/apt.pwd \
        --detach-sign --armor \
        --output Release.gpg Release
chmod 0755 /var/lib/univention-repository/var/postmirror.sh

# Auf jedem Rechner der Domain den öffentlichen Schlüssel freischalten
apt-key add /root/apt.pub
Comment 1 Philipp Hahn univentionstaff 2016-05-19 09:25:25 CEST
*** Bug 41250 has been marked as a duplicate of this bug. ***
Comment 2 Philipp Hahn univentionstaff 2016-05-19 09:26:31 CEST
Remove old Release files once:
$ find /var/lib/univention-repository/mirror  -name Release\* -delete