Webserver configuration
Installing the webserverapt-get install apache
<Directory /var/www/repos/ >
        Options Indexes FollowSymLinks Multiviews
        Order allow,deny
        Allow from all
</Directory>
<Directory "/var/www/repos/apt/*/db/">
        Order allow,deny
        Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/conf/">
        Order allow,deny
        Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/incoming/">
        Order allow,deny
        Deny from all
<?/Directory>
RNG Tools
The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's PRNG (pseudo-random number generator). Virtual Machines are generally really bad at generating enough entropy that the gpg key generation need. RNG Tools aids that process.< /br>
NOTE: This step is optional but highly recommended if you are using a virtual machine
apt-get install rng-tools vi /etc/default/rng-toolsEdit and Add the following
HRNGDEVICE=/dev/urandom
Finally start the service
/etc/init.d/rng-tools start
GPG key file generation
Next we will generate a GPG key to sign our repository and all of our packages with.
root@agent1:/home/alex# gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
Real name: DevOps stuff
Email address: dev@gmx.de
Comment: DevOps stuff
You selected this USER-ID:
    "devops (DevOps stuff) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.................+++++
.......+++++
gpg: key F15542E1 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/F15542E1 2012-11-30
      Key fingerprint = FF1E A313 F3DA 256B A40E  FB3E 0749 613D F155 42E1
uid                  devops (DevOps stuff) 
sub   2048R/024EC2A2 2012-11-30
       
Create public GPG key
Now the key is already created and in the keychain. You may list it withroot@agent1:/home/alex# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048R/F15542E1 2012-11-30 uid devops (DevOps stuff)sub 2048R/024EC2A2 2012-11-30 
Create the gpg key file that will be shared publicly via the webserver.
root@agent1:/home/alex# gpg --armor --output secure.gpg.key --export 024EC2A2please note 024EC2A2 comes from the gpg --list-keys above!
Configure the Repository
Create the directory structuremkdir -p /var/www/repos/apt/debian/conf cd /var/www/repos/apt/debian/confCreate the file "distributions" in the cwd and make sure the gpg key is used to sign the repository, add the following to the file
Origin: Alex Debian repo Label: alex Codename: precise Architectures: amd64 i386 source Components: main Description: alex apt repository DebOverride: override.precise DscOverride: override.precise SignWith: 024EC2A2
Create a file called "options" with the following content:
verbose basedir . ask-passphrase
Now create an empty file called "override.precise"
touch override.precise
Signing existing packages
dpkg-sig --sign builder /home/alex/demo-package-2.0.6_1.0-1_amd64.deb
Managing the repository
For this task we will use the tool "reprepro" which makes it very straightforward:
Install reprepro:
sudo apt-get install repreproAdd a package:
reprepro -Vb . includedeb precise /home/alex/demo-package-2.0.6_1.0-1_amd64.debRemove a package:
reprepro -b . remove precise demo-package
Please note that when removing we are using the package name as it is described in the package manifest and the the filename itself
