5 år sedan · c7dbea0b86
--- a/apt-publisher/README
+++ b/apt-publisher/README
@@ -1,176 +1,30 @@
 This is what I did initially in the `make shell` once:
 First did instructions in --> INIT.TXT

 ```
 root@9a0308ff4ef9:/home/trigen/projects/build-config/apt-publisher# gpg --gen-key
 gpg: WARNING: unsafe enclosing directory ownership on configuration file `/root/.gnupg/gpg.conf'
 gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 Then make sure you have an "empty" repo.

 Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
 Your selection? 1
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 4096
 Requested keysize is 4096 bits
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 0
 Key does not expire at all
 Is this correct? (y/N) y
    reprepro -b /repo remove bionic whatever  # if needed

 You need a user ID to identify your key; the software constructs the user ID
 from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

 Real name: Ray Burgemeestre
 Email address: ray@cppse.nl
 Comment:
 You selected this USER-ID:
    "Ray Burgemeestre <ray@cppse.nl>"

 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
 You need a Passphrase to protect your secret key.

 You don't want a passphrase - this is probably a *bad* idea!
 I will do it anyway.  You can change your passphrase at any time,
 using this program with the option "--edit-key".

 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 .................+++++

 Not enough random bytes available.  Please do some other work to give
 the OS a chance to collect more entropy! (Need 103 more bytes)
 .+++++
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 .+++++
 ..+++++
 gpg: key 4FEF6E3C marked as ultimately trusted
 public and secret key created and signed.

 gpg: checking the trustdb
 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
 pub   4096R/4FEF6E3C 2019-12-26
      Key fingerprint = 0398 0E09 AB56 969E 7AB3  A258 B563 6175 4FEF 6E3C
 uid                  Ray Burgemeestre <ray@cppse.nl>
 sub   4096R/DB72E674 2019-12-26
 ```

 Continued executing:

 ```
 root@9a0308ff4ef9:/home/trigen/projects/build-config/apt-publisher# gpg --edit-key 4FEF6E3C
 gpg: WARNING: unsafe enclosing directory ownership on configuration file `/root/.gnupg/gpg.conf'
 gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 Secret key is available.

 pub  4096R/4FEF6E3C  created: 2019-12-26  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
 sub  4096R/DB72E674  created: 2019-12-26  expires: never       usage: E
 [ultimate] (1). Ray Burgemeestre <ray@cppse.nl>

 gpg> addkey
 This key is not protected.
 Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
 Your selection? 4
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 4096
 Requested keysize is 4096 bits
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 0
 Key does not expire at all
 Is this correct? (y/N) y
 Really create? (y/N) y
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 .+++++
 ....+++++

 pub  4096R/4FEF6E3C  created: 2019-12-26  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
 sub  4096R/DB72E674  created: 2019-12-26  expires: never       usage: E
 sub  4096R/0354330E  created: 2019-12-26  expires: never       usage: S
 [ultimate] (1). Ray Burgemeestre <ray@cppse.nl>

 gpg> save
 ```

 EDIT: did above again to make another signing key, this time with password "public".
 The version of gpg in Ubuntu 14.04 has a bug that cannot handle empty passwords.

 From the tutorial, 10E6133F is for me: 4FEF6E3C
              and, 7B34E07C is for me: DB72E674

             Then, A72DB3EF is for me: 0354330E << INCORRECT, see below
             Then, A72DB3EF is for me:

 Then:

 ```
 gpg --export-secret-key 4FEF6E3C > keys/private.key
 gpg --export 4FEF6E3C >> keys/private.key

 gpg --export 4FEF6E3C > keys/public.key
 gpg --export-secret-subkeys 0354330E > keys/signing.key

 ```

 EDIT: scratch this, retry tomorrow.
 With newer ubuntu? :-)


 ---- delete above ---

 First did instructions in INIT.TXT

 Then make sure you have an "empty" repo,

 reprepro -b /repo remove bionic whatever

 Until it's empty, then:
 Until it's empty, then, if you didn't already at some point:

 	ssh-keygen -f keys/ssh < <(echo "\n\n")

 Then:

 	sudo tar -czf secret.tar.gz keys gnupg repo
    # might print some errors

 Upload that thing to some secret URL you can use during CI
    # might print some errors on special files, can be ignored.

 Upload that thing to some secret URL you can use during CI.

 ---

 Usage:
 Usage after all this:

 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5CE16B7B
 sudo add-apt-repository "deb https://cppse.nl/repo/ $(lsb_release -cs) main"
    # install key
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5CE16B7B
    
    # install repo
    sudo add-apt-repository "deb https://cppse.nl/repo/ $(lsb_release -cs) main"
    
    # enjoy
    sudo apt-get install whatever

--- a/apt-publisher/deprecated/Dockerfile
+++ b/apt-publisher/deprecated/Dockerfile
@@ -1,16 +0,0 @@
 FROM ubuntu:16.04

 # based on https://medium.com/sqooba/create-your-own-custom-and-authenticated-apt-repository-1e4a4cf0b864

 MAINTAINER Ray Burgemeestre

 RUN apt-get update && \
    apt install -y sudo wget gnupg2 \
                   apache2 dpkg-dev dpkg-sig \
                   apt-utils && \
    \
    mkdir -p /repo && \
    mkdir -p ~/.gnupg && \
    rm -rf /var/lib/apt/lists/*

 CMD "/bin/bash"
--- a/apt-publisher/deprecated/initialize.sh
+++ b/apt-publisher/deprecated/initialize.sh
@@ -1,33 +0,0 @@
 export KEYNAME=dpkg
 export EMAIL=${KEYNAME}@cppse.nl

 # We invoke this script with "bash ../initialize.sh", hence this weirdness..
 echo "cert-digest-algo SHA256" >> ~/.gnupg/gpg.conf
 echo "digest-algo SHA256" >> ~/.gnupg/gpg.conf
 ####

 pushd keys
 cat > $KEYNAME.batch <<EOF
 %echo Generating a standard key
 Key-Type: RSA
 Key-Length: 4096
 Subkey-Length: 4096
 Name-Real: ${KEYNAME}
 Name-Email: ${EMAIL}
 Expire-Date: 0
 %pubring ${KEYNAME}.pub
 %secring ${KEYNAME}.key
 # Do a commit here, so that we can later print "done" :-)
 %commit
 %echo done
 EOF

 gpg --batch --gen-key $KEYNAME.batch
 gpg --no-default-keyring --secret-keyring ${KEYNAME}.key --keyring ${KEYNAME}.pub --list-secret-keys
 gpg --import ${KEYNAME}.key
 gpg ${KEYNAME}.key

 gpg --output KEY.gpg --armor --export $KEYNAME
 gpg --output KEY.asc --export -a $KEYNAME
 popd