Signing My Local Repository With GPG, But Got Error That Said Still Unsigned

[position76]

Hello everyone.....

This week I've been trying to build secure local repository on my server. I used debian DVD files for my repository. Here how I build my repository using DVD.
1. First, I just link all DVD files to /var/www/html directory

Code: Select all

ln -s /media/dvd-mount/* /var/www/html/

2. After linking them, I need access to Release file, which is located at /var/www/html/dists/stable/ directory to create InRelease and Release.gpg file. We know that we can't change files inside of mounted ISO files. So, What I do is unlink the /var/www/html/dists directory and then copy dists directory directly from /media/dvd-mount to /var/www/html. Now I can make changes on dists directory.

3. In order to make my repository secure, I have to sign my Release file. I use these command to do that

Code: Select all

gpg --gen-key --default-new-key-algo=rsa4096/cert,sign+rsa4096/encr
gpg -a --yes --output dists/stable/Release.gpg --local-user <username> --detach-sign dists/stable/Release
gpg -a --yes --clearsign --output dists/stable/InRelease --local-user <username> --detach-sign dists/stable/Release
gpg --export <username> | tee pubkey.gpg > /dev/null

The first line is used to create new gpg keys for signing, second is to create Release.gpg file, third for InRelease file, and the last is to export the pubkey from the gpg keys I used.

3. After signing the Release files and exporting the pubkey, the last thing is to add my server address to /etc/apt/sources.list file and save the pubkey to the /etc/apt/trusted.gpg.d/ directory.
My sources.list file now, looked like this

Code: Select all

# deb cdrom:[Debian GNU/Linux 11.4.0 _Bullseye_ - Official amd64 DVD Binary-1 20220709-10:33]/ bullseye contrib main
#deb cdrom:[Debian GNU/Linux 11.4.0 _Bullseye_ - Official amd64 DVD Binary-1 20220709-10:33]/ bullseye contrib main

deb http://10.10.10.1/debian bullseye main contrib

And my trusted.gpg.d is like this

Code: Select all

root@debian:/etc/apt/trusted.gpg.d# ls
debian-archive-bullseye-automatic.gpg		debian-archive-buster-automatic.gpg	      debian-archive-stretch-automatic.gpg	     pubkey.gpg
debian-archive-bullseye-security-automatic.gpg	debian-archive-buster-security-automatic.gpg  debian-archive-stretch-security-automatic.gpg 
debian-archive-bullseye-stable.gpg		debian-archive-buster-stable.gpg	      debian-archive-stretch-stable.gpg
root@debian:/etc/apt/trusted.gpg.d# 

4. Those steps should be enough to secure my repository, but when I start to update my repository, I got this messages:

Code: Select all

Ign:1 http://10.10.10.1/debian bullseye InRelease
Hit:2 http://10.10.10.1/debian bullseye Release
Ign:3 http://10.10.10.1/debian bullseye Release.gpg
Reading package lists... Done
E: The repository 'http://10.10.10.1/debian bullseye Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

5. I tried to verify my Release file using command gpg --verify Release.gpg Release

Code: Select all

root@debian:/var/www/html/dists/bullseye# ls
contrib  InRelease  main  Release  Release.gpg
root@debian:/var/www/html/dists/bullseye# gpg --verify Release.gpg Release
gpg: Signature made Thu 20 Apr 2023 09:06:29 AM WIB
gpg:                using RSA key 91E41F7C5A54476C81F905FAC408BDC6B014B343
gpg:                issuer "client@tes.com"
gpg: Good signature from "client <client@tes.com>" [ultimate]
root@debian:/var/www/html/dists/bullseye# 

It said that its Signed already.

I'm stuck at this error, is there something I missed to do? or is there something I did wrong?
forgive me if my explanation is weird, I'm trying my best to make it understandable as possible.

[CwF]

I'm stuck at this error, is there something I missed to do?

Maybe

Reading package lists... Done

You did not mention this file. Did you make it?
If not and it is from the dvd I believe this has a path prefix that is now wrong.
I haven't done these things in awhile, but when I have used a local repository this file is made by dpkg-scanpackages from dpkg-dev.deb

[position76]

Other than Release.gpg and InRelease file. I'm not creating any, they all pure from the ISO.

I believe this has a path prefix that is now wrong.

Is it supposed to be fine? I'm not moving anything though, Just wanna secure the Release file only.

[CwF]

I'm not moving anything though

You did move from the dvd.
Open and view the package file and check! I could be wrong!

[position76]

I'm not moving anything though

You did move from the dvd.
Open and view the package file and check! I could be wrong!

Hmmmmm, I'm really sorry but, which is the package file located? I use find command in the /var/www/html directory but there is no file with "package" name found.

Code: Select all

root@debian:/var/www/html# find . -iname package
root@debian:/var/www/html# 

To be honest, I'm very new to this repository things, so what did is following the existing guide from tutorial.

[CwF]

I'm late!

a package.gz or other format is on the iso somewhere! I'm not sure of your purpose exactly and there's many ways to create and use a local, or intranet repository. Utilizing the iso image directory is the oldest and at the bottom of the list.

[maxlinux2000]

Hello,
I have found this way to convert debian DVDs into a repository, without occupying more .iso space on the hard drive.
The trick is to use the signed "Release" files of the same DVD and modify the /etc/sources.list of the client.

I put 2 scripts on this post.

The first is to download the ISO and other useful things, and the second is to mount the .iso and create the sources.list to copy/paste in the configuration the customers

In the first script I need to automate the jigdo-file to download amd64 binaries... if you know how to do it non-interactively I would be very grateful.

on the server you have to install apache2 (or other web service of your liking)


I don't know if you're doing this to put them safe from the next definitive internet blackout, or just to make a development on your intranet.

In the first case I'd like to talk to you. (Telegram @maxlinux2000 )

Greetings
MaX

[Bloom]

You don't need to sign local repositories. Just use

Code: Select all

deb [trusted=yes] ...