ubuntu 建立本地deb軟件庫時，對Release文件作gpg簽名 v2

Ubuntu 16.04 (xenial) 在將本地deb軟件包建立repo時候，跟14.04之前的版本相比，強制要求gpg對Release文件簽名，不然沒法使用：

Reading package lists... Done
W: The repository 'http://10.245.254.93/linux/ubuntu/updates/xenial ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

這時候， gpg 軟件登場了。

1.1 GPG 建立的密匙，可供加密文件及簽名文件使用， 也可建立專供簽名文件使用的密匙。
密鑰建立過程當中，須要使用到足夠的隨機數(random)，可先行安裝rng-tools, 該工具能夠常駐後臺的方式, 生成隨機數，避免gpg密鑰建立過程當中的長時間等待問題

# apt-get install rng-tools
# rngd -r /dev/urandom

# gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Ubuntu Local Archive Automatic Signing Key
Email address: mac@ispc.cn
Comment: 2017
You selected this USER-ID:
    "Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
+++++
gpg: key 7A1E912A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   4096R/7A1E912A 2017-03-15
      Key fingerprint = A11A 69B7 15AB B83A C6AC  4282 02FE 7153 F5A2 4A14
uid                  Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn

 

1.2 導出gpg公鑰和私鑰，並放到可下載的地方，好比某個web
私鑰，供Server端，對release文件簽名使用
公鑰，需在Ubuntu client 導入，供apt-get使用

# gpg --list-key
# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/7A1E912A 2017-03-02 [expires: 2022-03-01]
uid                  Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn>

# gpg -a --export 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
# gpg -a --export-secret-keys 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec

 

2. 建立Package file

# rm -f Packages.gz Packages
# apt-ftparchive packages . | gzip -9c > Packages.gz
# gunzip -k Packages.gz

使用下面這種internet上常見的方式，必須先安裝dpkg-dev軟件包， 與使用apt-ftparchive 方式，可同樣達到目的，但apt-ftparchive是系統默認已經安裝的軟件包，不須要再安裝，我的認爲有優點
(但不能檢查並提示同名軟件包的不一樣版本。解決辦法是，提早在deb軟件包尚在目錄內/var/cache/apt/archives的時候，使用apt-get autoclean命令，清除老版本軟件包)
# dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

3. 建立release file

# apt-ftparchive release ./ > Release

4. 對release file簽名

# gpg -abs --default-key 7A1E912A -o Release.gpg Release
# gpg --clearsign --default-key 7A1E912A -o InRelease Release

 

5. 修改ubuntu client sources.list

# echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list

6. 下載並導入給release file 簽名的公鑰

#wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
# apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub

7. 可使用了
# apt-get udpate

 

【重要】
GPG在給文件簽名時候，默認使用SHA1算法，致使在後續使用過程當中，出現下述告警：
    Release.gpg: Signature by key ADAF3EDBBB0035413FD4FEDBB3E7CC5C7A1E912A uses weak digest algorithm (SHA1)

解決辦法：
http://apache.org/dev/openpgp.html
https://keyring.debian.org/creating-key.html
這2個比較權威的網站上的冗長的解釋，那是由於人家要作全面解釋介紹，步驟固然多點。
文章中提到的參數default-preference-list（默認偏好清單），並定義：SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed. 我的認爲， 這裏定義的是可以使用的加密算法清單，而不是算法順序, 誰在前誰在後，無關大雅。可在這裏定義，或者直接使用默認值，因此壓根不用關心這個步驟。

 

最後,只須要下面簡單步驟:

在給Releases文件簽名前，修改~/.gnupg/gpg.conf, 定義參數personal-digest-preferences(the digest used for signing messages)爲SHA256。
另SHA224,SHA256,SHA384,SHA512幾個選項，可根據需求隨意選擇，只要不用SHA1就好，要不你就又繞回去了:(

# echo "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.conf
# gpg -abs --default-key 7A1E912A -o Release.gpg Release

also can use gpg command option, example:

# gpg -abs --default-key 7A1E912A --personal-digest-preferences SHA256 -o Release.gpg Release

 

-----------------------------
8. 腳本方式使用

8.1 Server site

wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec
gpg --import Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec
echo "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.conf

mkdir /opt/xenial
cp -rp /var/cache/apt/archives /opt/xenial

cd /opt/xenial
rm -rf Packages.gz Packages archives/lock archives/partial
apt-ftparchive packages . | gzip -9c > Packages.gz
gunzip -k Packages.gz
apt-ftparchive release ./ > Release
gpg -abs --default-key 7A1E912A --passphrase YourPasswd -o Release.gpg Release
gpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Release

echo "deb [arch=amd64] file:///opt/xenial ./" >> /etc/apt/sources.list
apt-get update

8.2 Client site

echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list
wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
apt-get update

 

補充：ubuntu apt-get 對軟件包索引，首先要求InRelease文件，其次纔去找Release、Release.gpg文件； 這狀況下， 其實只須要建立InRelease文件(包含Release文件和明文簽名)便可:

 # gpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Release