Ubuntu 16.04 (xenial) 在由本地 deb 软件包创建安装源repo时候, 跟14.04以前的版本相比, 强制要求使用 gpg 对 Release 文件签名, 否则无法使用:
Reading package lists... Done
W: The repository 'http://10.245.254.93/linux/ubuntu/updates/xenial ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
为了解决这个问题,就需要使用 gpg 软件了。
1. 使用 GPG 创建的密匙,可供加密文件及签名文件使用, 也可创建专供签名文件使用的密匙。
密钥创建过程中,需要使用到足够的随机数(random),可先行安装rng-tools, 该工具可以常驻后台的方式, 生成随机数,避免gpg密钥创建过程中的长时间等待问题。
% sudo apt-get install rng-tools
% sudo rngd -r /dev/urandom
% sudo gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)Your selection? 4
RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n yearsKey is valid for? (0)
Key does not expire at allIs this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <aliyunzixun@xxx.com>"
Real name: Ubuntu Local Archive Automatic Signing Key
Email address: aliyunzixun@xxx.comispc.cn
Comment: 2017 You selected this USER-ID:
"Ubuntu Local Archive Automatic Signing Key (2017) <aliyunzixun@xxx.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy
.......++++++++++
gpg: key 7A1E912A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 4096R/7A1E912A 2017-03-15
Key fingerprint = A11A 69B7 15AB B83A C6AC 4282 02FE 7153 F5A2 4A14
uid Ubuntu Local Archive Automatic Signing Key (2017) <aliyunzixun@xxx.comispc.cn
2. 导出 gpg 公钥和私钥, 并放到可下载的地方, 比如某个http://xxx.xxx.xxx.xxx/debs/ 对应的目录下:
- 私钥,供Server端,对release文件签名使用
- 公钥,需在Ubuntu client 导入,供apt-get使用
% sudo gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/7A1E912A 2017-03-02 [expires: 2022-03-01]
uid Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn>
% sudo gpg -a --export 7A1E912A > Ubuntu_Local_Archive_Signing_Key.pub
% sudo gpg -a --export-secret-keys 7A1E912A > Ubuntu_Local_Archive_Signing_Key.sec
GPG在给文件签名时候,默认使用SHA1算法,导致在后续使用过程中,出现下述告警:
Release.gpg: Signature by key ADAF3EDBBB0035413FD4FEDBB3E7CC5C7A1E912A uses weak digest algorithm (SHA1)
在给 Releases 文件签名前,修改 ~/.gnupg/gpg.conf, 定义参数 personal-digest-preferences(the digest used for signing messages)为SHA256。另外有SHA224,SHA256,SHA384,SHA512几个选项, 可根据需求随意选择, 只要不用SHA1就好, 要不又会出上面的告警提示了。
2. 创建Package file
首先将 ubuntu 的安装文件拷贝到 web 服务的目录中,例如可以将 ubuntu 系统的缓存包:/var/cache/apt/archives 目录内的内容拷贝到 web 服务目录中。
2.1 使用 dpkg-scanpackages 这种 internet 上常见的方式升成 Packages.gz 索引文件
使用 dpkg-scanpackages 命令前需要先安装 dpkg-dev 软件包
% sudo dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
2.2 也可以使用apt-ftparchive 命令方式,可一样达到目的, apt-ftparchive 是系统默认已经安装的软件包, 不需要再安装。但 apt-ftparchive 不能检查并提示同名软件包的不同版本。解决办法是, 提前在deb软件包尚在 /var/cache/apt/archives 目录内的时候, 使用apt-get autoclean命令, 清除老版本软件包。
% sudo rm -f Packages.gz Packages
% sudo apt-ftparchive packages . | gzip -9c > Packages.gz
% sudo gunzip -k Packages.gz
3. 创建release file
% sudo apt-ftparchive release ./ > Release
% sudo gpg -abs --default-key 7A1E912A -o Release.gpg Release
% sudo gpg --clearsign --default-key 7A1E912A -o InRelease Release
4. 对release file签名
% sudo gpg -abs --default-key 7A1E912A -o Release.gpg Release
% sudo gpg --clearsign --default-key 7A1E912A -o InRelease Release
5. 在 ubuntu 客户端进行如下操作,使用自定义的安装源
5.1 修改 /etc/apt/sources.list 文件
%sudo echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list
5.2. 下载并导入给release file 签名的公钥
% sudo wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Signing_Key.pub
% sudo apt-key add Ubuntu_Local_Archive_Signing_Key.pub
5.3. 使用新建成的安装源
% sudo apt-get update