Home / ubuntu / Questions / 219722
Accepted
Hamish Downer
Asked: 2012-11-21 03:28:20 +0800 CST

Why do signed deb packages say they're not authenticated when copied to my private deb repo?

  • 772

Quick Version

I have set up a private deb repository and copied some signed deb packages into it. I have installed the signing key locally. However when I try to install from the repo I get this warning:

WARNING: The following packages cannot be authenticated!

When installing manually, I can just press y but I want to install these packages automatically using puppet, and that fails.

So what's the problem? Do I need to resign packages with a key I control? Is there a better way of ensuring I have a particular version of puppet installed?

More Details

I have got the packages from the puppet debian repository - http://apt.puppetlabs.com/ I just copy the package from (for lucid) this directory

The repository is then updated with a script that runs these commands for each repo:

cd /var/www/html/apt/ubuntu/lucid
dpkg-scanpackages binary /dev/null | gzip -9c > binary/Packages.gz
dpkg-scansources sources /dev/null | gzip -9c > sources/Sources.gz

I have installed the signing key on the client.

$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
...
pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
uid                  Puppet Labs Release Key (Puppet Labs Release Key) <[email protected]>
...

The rationale for doing this is that I want all puppet clients to be the same version. So all machines should get the packages from my repository by using the following pin in /etc/apt/preferences.d/puppet:

Package: puppet puppet-common facter
Pin: origin deb.example.org
Pin-Priority: 1001

(We are currently using puppet 2.6.x, so I need a priority of 1001 to downgrade precise clients from 2.7.x).

I have read about holding packages but that doesn't help me change package versions.

All suggestions welcome.

repository

1 Answers

  1. Best Answer

    *.deb packages are not signed directly, in Debian. There is a way to do that, but nothing in Debian uses it.

    The principle used by Debian and Ubuntu APT repositories instead works like this:

    All *.deb binary packages are listed in a file (e.g.) binary-i386/Packages.gz with their checksums. (All current Debian and Ubuntu versions use all three(!) of MD5, SHA-1 and SHA-256 for this. Old versions used MD5 only.) All *.dsc source packages are listed in source/Sources.gz.

    All these files binary-*/Packages.* and source/Sources.* are then listed, with their checksums, in a file Release, which is signed as either Release.gpg or InRelease, with the PGP key of the repository.

    So basically, if you put any packages into an APT repository of your own, you will need to sign that repository, and use apt-key add to import your own repository's signing key into your system when you want to use any packages from that repository.

    • 3