Creating a private apt repository with reprepro
Package Hub
The seemingly simple and practical task of distributing software you develop yourself can turn out to be time consuming and complex. On Debian and Ubuntu, keeping packages in a repository facilitates installations and upgrades for the user. The reprepro
tool [1] helps administrators establish and manage a repository. It provides an easy option for setting up a repository and installing packages. A web server uses the HTTP protocol to distribute the packages to the users. The authenticity of the packages is ensured by GPG signatures.
An Ubuntu server can be transformed into a repository in a few steps. All the required software components are in the official Ubuntu repositories, and no third-party software is needed. Simply type
sudo apt-get install reprepro
to set up Ubuntu 12.04 LTS for the install. Afterward, useful information on the reprepro package can be found in the default documentation path, /usr/share/doc/reprepro/
, such as short-howto.gz
, which provides a brief introduction to the configuration.
The following example uses a separate repository
user account for the configuration. The conf
folder serves as a central location for the configuration files. The most important file, distributions
, specifies the distribution, architecture, and so on for which the repository is used (Listing 1).
Listing 1
distributions
$ pwd /home/repository $ mkdir -p packages/conf $ vi packages/conf/distributions Origin: TKmon Label: tkmon Codename: precise Suite: stable Architectures: i386 amd64 source Components: main optional SignWith: 0B8738CA $ vi packages/conf/options verbose ask-passphrase
Several parameters in this file define the repository layout [2] [3], as follows:
Origin
: An optional field that describes the origin of the repository. You can select a free line of text.Label
: Optional, user-defined text that serves as an identifier for the repository.Codename
: The name of the distribution for which the packets are provided. For Ubuntu, for example,oneiric
orquantal
; for Debian,squeeze
orwheezy
. This parameter is mandatory and is used as a folder name in thedists/
tree.Suite
: Qualifiers such asstable
ortesting
create an alternative path to the code names through symbolic links.Architectures
: A mandatory parameter that specifies the architectures included in the repo. Thesource
option in Listing 1 indicates that there are also source packages in the repo.Components
: The components of the distribution are listed here (e.g.,main
oroptional
). Components implement the distribution of packets in different groups. Users can then type the corresponding Apt command lines to install only a specific group.SignWith
: This parameter is essential for creating GPG signatures, specifying the ID of the GPG key with which the signatures are created in theInRelease
file or theRelease
file inRelease.gpg
[4]. Listing 1 shows a further important step in configuring the GPG setup: In theoptions
file, theask-passphrase
parameter stipulates that the password for the private key is required. A further possibility would begpg-agent
, for private key management.
Filling the Repo
The initial directory structure for the repository can be created using the createsymlinks
command. Figure 1 uses the tree
command to show which folders are created in this step. This completes the configuration; the next steps are for adding and removing packages.
To simplify working with the repo, it makes sense to point the environment variable REPREPRO_BASE_DIR
at the repo directory:
$ echo $REPREPRO_BASE_DIR /home/repository/packages
The following two steps now bind a new Ubuntu package to the repo:
reprepro --verbose includedeb precise tkmon_1.2.1~rc2-1_all.deb reprepro --verbose includedsc precise tkmon_1.2.1~rc2-1.dsc
When you run these commands, you need to enter the password for the secret GPG key twice in each case – once each for the files Release.gpg
and InRelease
. Listing 2 provides the results or, if you prefer, checks whether the package has made its way into the repository. You can do:
reprepro remove precise tkmon
to remove a package just as easily.
Listing 2
reprepro list
$ reprepro list precise precise|main|i386: tkmon 1.2.1~rc2-1 precise|main|amd64: tkmon 1.2.1~rc2-1 precise|main|source: tkmon 1.2.1~rc2-1
Providing Access
Several options are available for distributing the repository via a web server. For all variants, the internal configuration folders conf
and db
must be protected against unauthorized access. The setup described here uses the Apache mod userdir
module for publishing in the home directory of the previously mentioned repository
user account.
To do this, you can enable the userdir
module, create a public_html
folder, and there, create a symbolic link to packages
. Finally, the file permissions are modified for security reasons (Listing 3).
Listing 3
Publication
$ sudo a2enmod userdir $ mkdir public_html $ cd public_html/ ~/public_html$ ln -s ../packages packages ~/public_html/packages$ chmod 750 conf/ ~/public_html/packages$ chmod 750 db/
GPG Key
To enable a user to use the repository in just a few easy steps, you need to provide the Apt URL and the public GPG key. In this context, a list
file is generated and the public key is exported:
~/public_html$ gpg --armor --output tk-archive.gpg.pub --export 0B8738CA ~/public_html$ vi tkmon.list deb http://192.168.56.102/~repository/packages precise main
An Apache rewrite rule ensures that the public key is only accessible via HTTPS:
RewriteEngine on RewriteBase /home/repository/public_html RewriteCond %{REQUEST_URI} ^/tk-archive\.gpg-\.pub$ RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
The tkmon.list
file provided on the server is used on the client side to integrate the repository. You just need to put the file in the /etc/apt/sources.list.d
directory to place and update apt
:
$ cd /etc/apt/sources.list.d/ /etc/apt/sources.list.d$ sudo wget http://192.168.56.102/tk-main.list /etc/apt/sources.list.d$ sudo apt-get update
Without correctly importing the GPG key, warnings still appear indicating that the authenticity of the packages could not be checked.
These security warnings should not be ignored; if the repository is set up correctly with the associated public key, these messages should not occur. Listing 4 shows how the key is imported.
Listing 4
Importing the GPG Key
01 $ sudo apt-get install tkmon 02 [...] 03 The following NEW packages will be installed: 04 tkmon 05 [...] 06 WARNING: The following packages cannot be authenticated! 07 tkmon 08 Install these packages without verification [y/N]? n 09 E: Some packages could not be authenticated 10 $ wget -O - https://192.168.56.102/tk-archive.gpg.pub | sudo apt-key add - 11 $ sudo apt-key list 12 /etc/apt/trusted.gpg 13 -------------------- 14 [...] 15 pub 4096R/0B8738CA 2013-04-17 16 uid Thomas-Krenn.AG Ubuntu Archive <ubuntu-release@thomas-krenn.com> 17 sub 4096R/F6685248 2013-04-17 18 $ sudo apt-get update 19 [...] 20 $ sudo apt-get install tkmon 21 [...] 22 The following NEW packages will be installed: 23 tkmon 24 [...]