Univention Bugzilla – Bug 29434
Secure APT für lokales Repository aktivieren
Last modified: 2024-04-17 13:16:26 CEST
+++ This bug was initially created as a clone of Bug #26669 +++ Weil ich es gerade für den Updater-Test gebraucht habe, habe ich das mal eben dokumentiert. Ggf. ein Kandidat für die erweiterte Dokumentation oder das Wiki. Folgendermaßen kann man selber sein sicheres APT-Repository aufsetzen: # Einmalig auf dem Repository-Server einen Schlüssel generieren (umask 0077 ; makepasswd --chars 16 >/root/apt.pwd) gpg --gen-key --status-fd 3 --batch 3>/root/apt.fpr <<__EOF__ %echo Generating key for APT Key-Type: RSA Key-Length: 1024 Key-Usage: sign Passphrase: $(</root/apt.pwd) Name-Real: Local APT Mirror Name-Email: apt-mirror@univention.de Expire-Date: 365d Handle: apt %pubring /root/apt.pub %secring /root/apt.sec %commit %echo done __EOF__ # Einmalig Skript einbinden, daß nach jedem Mirror-Sync die Release-Dateien neu generiert und signiert cat >/var/lib/univention-repository/var/postmirror.sh <<'__EOF__' #!/bin/sh set -e BASE="${PWD#*maintained/}" if [ -z "$1" ] then cd /var/lib/univention-repository/mirror find ?.?/*maintained/?.?-? ?.?/*maintained/component/* \( -name all -o -name amd64 -o -name i386 \) -execdir "$0" {} \; exit $? else cd "$1" rm -f Release* apt-ftparchive \ -o "APT::FTPArchive::Release::Origin=Univention" \ -o "APT::FTPArchive::Release::Label=Univention" \ -o "APT::FTPArchive::Release::Version=$BASE" \ -o "APT::FTPArchive::Release::Codename=$BASE/$1" \ release . >Release.tmp mv Release.tmp Release KEYID=$(sed -ne 's/.* KEY_CREATED P \([0-9A-F]\+\) apt$/\1/p' /root/apt.fpr) gpg --no-default-keyring --no-use-agent \ --secret-keyring /root/apt.sec --keyring /root/apt.pub \ --local-user "$KEYID" --passphrase-file /root/apt.pwd \ --detach-sign --armor \ --output Release.gpg Release fi __EOF__ chmod 0755 /var/lib/univention-repository/var/postmirror.sh # Auf jedem Rechner der Domain den öffentlichen Schlüssel freischalten apt-key add /root/apt.pub
*** Bug 41250 has been marked as a duplicate of this bug. ***
Remove old Release files once: $ find /var/lib/univention-repository/mirror -name Release\* -delete
This bug hasn't seen any update for several years. I close it. If you still see a need for it, you can reopen the bug. Please add an argumentation about why it's important to take care of it.