Bug 29434

Summary: Secure APT für lokales Repository aktivieren
Product: UCS extended documentation Reporter: Philipp Hahn <hahn>
Component: Computer managementAssignee: Docu maintainers <docu-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: enhancement    
Priority: P5 CC: gohmann
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: http://forge.univention.org/bugzilla/show_bug.cgi?id=45185
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Further conceptual development
Max CVSS v3 score:

Description Philipp Hahn univentionstaff 2012-11-28 12:56:17 CET 
+++ This bug was initially created as a clone of Bug #26669 +++
Weil ich es gerade für den Updater-Test gebraucht habe, habe ich das mal eben dokumentiert. Ggf. ein Kandidat für die erweiterte Dokumentation oder das Wiki.
Folgendermaßen kann man selber sein sicheres APT-Repository aufsetzen:

# Einmalig auf dem Repository-Server einen Schlüssel generieren
(umask 0077 ; makepasswd --chars 16 >/root/apt.pwd)
gpg --gen-key --status-fd 3 --batch 3>/root/apt.fpr <<__EOF__
%echo Generating key for APT
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Passphrase: $(</root/apt.pwd)
Name-Real: Local APT Mirror
Name-Email: apt-mirror@univention.de
Expire-Date: 365d
Handle: apt
%pubring /root/apt.pub
%secring /root/apt.sec
%commit
%echo done
__EOF__

# Einmalig Skript einbinden, daß nach jedem Mirror-Sync die Release-Dateien neu generiert und signiert
cat >/var/lib/univention-repository/var/postmirror.sh <<'__EOF__'
#!/bin/sh
set -e
BASE="${PWD#*maintained/}"
if [ -z "$1" ]
then
    cd /var/lib/univention-repository/mirror
    find ?.?/*maintained/?.?-? ?.?/*maintained/component/* \( -name all -o -name amd64 -o -name i386 \) -execdir "$0" {} \;
    exit $?
else
    cd "$1"
    rm -f Release*
    apt-ftparchive \
        -o "APT::FTPArchive::Release::Origin=Univention" \
        -o "APT::FTPArchive::Release::Label=Univention" \
        -o "APT::FTPArchive::Release::Version=$BASE" \
        -o "APT::FTPArchive::Release::Codename=$BASE/$1" \
        release . >Release.tmp
    mv Release.tmp Release
    KEYID=$(sed -ne 's/.* KEY_CREATED P \([0-9A-F]\+\) apt$/\1/p' /root/apt.fpr)
    gpg --no-default-keyring --no-use-agent \
        --secret-keyring /root/apt.sec --keyring /root/apt.pub \
        --local-user "$KEYID" --passphrase-file /root/apt.pwd \
        --detach-sign --armor \
        --output Release.gpg Release
fi
__EOF__
chmod 0755 /var/lib/univention-repository/var/postmirror.sh

# Auf jedem Rechner der Domain den öffentlichen Schlüssel freischalten
apt-key add /root/apt.pub
Comment 1 Philipp Hahn univentionstaff 2016-05-19 09:25:25 CEST 
*** Bug 41250 has been marked as a duplicate of this bug. ***
Comment 2 Philipp Hahn univentionstaff 2016-05-19 09:26:31 CEST 
Remove old Release files once:
$ find /var/lib/univention-repository/mirror  -name Release\* -delete
Comment 3 Nico Gulden univentionstaff 2024-04-17 13:16:26 CEST 
This bug hasn't seen any update for several years. I close it.

If you still see a need for it, you can reopen the bug. Please add an argumentation about why it's important to take care of it.