Bug 29434 – Secure APT für lokales Repository aktivieren

Bug 29434 - Secure APT für lokales Repository aktivieren


Summary:	Secure APT für lokales Repository aktivieren

Status:	RESOLVED WONTFIX

Product:	UCS extended documentation
Classification:	Unclassified
Component:	Computer management
Version:	unspecified
Hardware:	All Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	Docu maintainers
QA Contact:

URL:
Keywords:

Duplicates:	41250 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-11-28 12:56 CET by Philipp Hahn
Modified:	2024-04-17 13:16 CEST (History)
CC List:	1 user (show)

See Also:	45185
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Further conceptual development
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2012-11-28 12:56:17 CET

+++ This bug was initially created as a clone of Bug #26669 +++
Weil ich es gerade für den Updater-Test gebraucht habe, habe ich das mal eben dokumentiert. Ggf. ein Kandidat für die erweiterte Dokumentation oder das Wiki.
Folgendermaßen kann man selber sein sicheres APT-Repository aufsetzen:

# Einmalig auf dem Repository-Server einen Schlüssel generieren
(umask 0077 ; makepasswd --chars 16 >/root/apt.pwd)
gpg --gen-key --status-fd 3 --batch 3>/root/apt.fpr <<__EOF__
%echo Generating key for APT
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Passphrase: $(</root/apt.pwd)
Name-Real: Local APT Mirror
Name-Email: apt-mirror@univention.de
Expire-Date: 365d
Handle: apt
%pubring /root/apt.pub
%secring /root/apt.sec
%commit
%echo done
__EOF__

# Einmalig Skript einbinden, daß nach jedem Mirror-Sync die Release-Dateien neu generiert und signiert
cat >/var/lib/univention-repository/var/postmirror.sh <<'__EOF__'
#!/bin/sh
set -e
BASE="${PWD#*maintained/}"
if [ -z "$1" ]
then
    cd /var/lib/univention-repository/mirror
    find ?.?/*maintained/?.?-? ?.?/*maintained/component/* \( -name all -o -name amd64 -o -name i386 \) -execdir "$0" {} \;
    exit $?
else
    cd "$1"
    rm -f Release*
    apt-ftparchive \
        -o "APT::FTPArchive::Release::Origin=Univention" \
        -o "APT::FTPArchive::Release::Label=Univention" \
        -o "APT::FTPArchive::Release::Version=$BASE" \
        -o "APT::FTPArchive::Release::Codename=$BASE/$1" \
        release . >Release.tmp
    mv Release.tmp Release
    KEYID=$(sed -ne 's/.* KEY_CREATED P \([0-9A-F]\+\) apt$/\1/p' /root/apt.fpr)
    gpg --no-default-keyring --no-use-agent \
        --secret-keyring /root/apt.sec --keyring /root/apt.pub \
        --local-user "$KEYID" --passphrase-file /root/apt.pwd \
        --detach-sign --armor \
        --output Release.gpg Release
fi
__EOF__
chmod 0755 /var/lib/univention-repository/var/postmirror.sh

# Auf jedem Rechner der Domain den öffentlichen Schlüssel freischalten
apt-key add /root/apt.pub

Comment 1 Philipp Hahn

2016-05-19 09:25:25 CEST

*** Bug 41250 has been marked as a duplicate of this bug. ***

Comment 2 Philipp Hahn

2016-05-19 09:26:31 CEST

Remove old Release files once:
$ find /var/lib/univention-repository/mirror  -name Release\* -delete

Comment 3 Nico Gulden

2024-04-17 13:16:26 CEST

This bug hasn't seen any update for several years. I close it.

If you still see a need for it, you can reopen the bug. Please add an argumentation about why it's important to take care of it.