You are not logged in.
I'd like to be able to build a package that can be downloaded and installed remotely. This is a basic utility package that I feel others can use. So I'd like decent amount of access to it with a minimum of setup. From what I know: this is my general knowledge of how to do it. For any that could help direct me I'd appreciate it.
From what I gather, I need to:
Create a personal GPG key.
Start the GPU agent (if not wanting to enter the passphrase).
Run makepkg --sign or enable in makepkg.conf.
After I've done these, I'm guessing:
A *.pkg.tar.xz file will be created, and a *.pkg.tar.xz.sig?!
I upload both of them to the server.
The user invokes pacman -U url://...pkg.tar.xz and pacman also downloads the *.pkg.tar.xz.sig.
Everything installs fine, world peace, cubs win pennant, blah...
Currently I just built a package with plain old makepkg syntax and am getting this when tryin to install, I get:
error: failed retrieving file 'armrr-0.80-1-any.pkg.tar.xz.sig' from github.com : The requested URL returned error: 404 Not Found
warning: failed to download https://github.com/Gen2ly/armrr/blob/master/armrr-0.80-1-any.pkg.tar.xz.sig
loading packages...
error: '/var/cache/pacman/pkg/armrr-0.80-1-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
What I'd like to know is:
Is this the best way to go about this? Perhaps, maybe, it's just better to tell the user to temporarily disable package checks??? Probably not, but I'd thought I'd ask.
Does the user need my key to be able to install the package (similiar to package archlinux-keyring)?
GnuPG wiki page has a lot of details is there a more concise guide?
I'll read all this one day .
Last edited by Gen2ly (2014-09-12 12:21:07)
Setting Up a Scripting Environment | Proud donor to wikipedia - link
Offline
Why do you want to distribute a built package rather than the source? It is just a script file, so there is nothing to compile: so a user running `makepkg -i` would take no more time (possibly less) than downloading and installing your prebuilt package.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Can't type effectively on the phone now but yes, build with makepkg or a script, sign, use repo-add helper script to make the repo fen files.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
I've been searching for an answer to this problem of being able to easily download the .sig file with curl/whatever, but then pacman -S ... gives the complaint listed by OP. Always the people "helping" just try to convince the person to not do what they wanted to do.
In my case, just testing with only one signed package, I went the extra step and made the .db and even signed that. There's no trouble getting the database sig file, but all of a sudden, there's an issue getting the package .sig file that's in the same place!
Why can't anyone provide an actual explanation or some kind of guidance for this issue instead of just trying to convince people they shouldn't be putting built packages up or that they shouldn't be trying to verify the signature if they do.
Offline
Actually, Gen2ly, I'd like to know more about your success with pacman -U url... because it fails for me. Also, since your package is already built, what makepkg command are you using?
I have built many signed packages and uploaded them to colinkeenan@build.archlinuxcn.org:repo. This works fine, but I'm not the one building the database in that case, and I'm sure they are not using repo-add.
For a package I want to distribute that is not welcome on the AUR or archlinuxcn, I have built the signed package, put it & sig file in a directory ~/ntarchw, and used repo-add:
repo-add --sign ntarchw/ntarchw.db.tar.gz ntarchw/*.pkg.tar.xz
I put the entire ~/ntarchw directory onto a free website I made years ago as a minor part of my Firefox extension: http://rentap.comyr.com/ntarchw/
If you click that link above, you will see the following:
Index of /ntarchw
Parent Directory
ntarchw.db
ntarchw.db.sig
ntarchw.db.tar.gz
ntarchw.db.tar.gz.sig
update-1.1-1-any.pkg.tar.xz
update-1.1-1-any.pkg.tar.xz.sig
Here's what I added to my
/etc/pacman.conf
:
[ntarchw]
Server = http://rentap.comyr.com/ntarchw
I have no problem adding the signed repo database:
/home/colin% sudo pacman -Syy
[sudo] password for colin:
:: Synchronizing package databases...
core 116.1 KiB 679K/s 00:00 [##############################################] 100%
extra 1809.8 KiB 4.34M/s 00:00 [##############################################] 100%
community 2.4 MiB 5.09M/s 00:00 [##############################################] 100%
multilib 121.9 KiB 713K/s 00:00 [##############################################] 100%
pipelight 79.2 KiB 115K/s 00:01 [##############################################] 100%
pipelight.sig 543.0 B 0.00B/s 00:00 [##############################################] 100%
archlinuxcn 342.4 KiB 901K/s 00:00 [##############################################] 100%
ntarchw 2.2 KiB 0.00B/s 00:00 [##############################################] 100%
ntarchw.sig 543.0 B 0.00B/s 00:00 [##############################################] 100%
/home/colin%
I can also query the package in the repo:
/home/colin% pacman -Si update
Repository : ntarchw
Name : update
Version : 1.1-1
Description : simple script and desktop file for doing a system update using yaourt
Architecture : any
URL : https://github.com/colinkeenan/update
Licenses : GPL
Groups : None
Provides : None
Depends On : yaourt
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 1.64 KiB
Installed Size : 21.00 KiB
Packager : Unknown Packager
Build Date : Sat 06 Dec 2014 02:06:39 AM CST
Validated By : MD5 Sum SHA256 Sum Signature
/home/colin%
I also have no trouble downloading the package and sig file using curl, and then installing with pacman -U:
/home/colin% curl -O http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1688 100 1688 0 0 19523 0 --:--:-- --:--:-- --:--:-- 19627
/home/colin% curl -O http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz.sig
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 543 100 543 0 0 6190 0 --:--:-- --:--:-- --:--:-- 6241
/home/colin% sudo pacman -U update-1.1-1-any.pkg.tar.xz
[sudo] password for colin:
loading packages...
warning: update-1.1-1 is up to date -- reinstalling
resolving dependencies...
looking for inter-conflicts...
Packages (1): update-1.1-1
Total Installed Size: 0.02 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [##############################################] 100%
(1/1) checking package integrity [##############################################] 100%
(1/1) loading package files [##############################################] 100%
(1/1) checking for file conflicts [##############################################] 100%
(1/1) checking available disk space [##############################################] 100%
(1/1) reinstalling update [##############################################] 100%
==> NOTE:
The script is named 'update' and the desktop calls it 'Update System'. Find it in the 'System' category or by seraching for update. Add 'Update System' to your panel for one-click system updating.
/home/colin%
But, I can't install with pacman -U url...
/home/colin% sudo pacman -U http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz
update-1.1-1-any 1688.0 B 824K/s 00:00 [##############################################] 100%
loading packages...
error: /var/cache/pacman/pkg/update-1.1-1-any.pkg.tar.xz: unsupported signature formaterror: GPGME error: No data
error: '/var/cache/pacman/pkg/update-1.1-1-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
/home/colin%
It got the full package, but none of the signature. When I started writing all of this, I was having the same problem with pacman -S, but along the way, I realized I may have had a corrupted upload and re-did it, and although pacman -U url doesn't work, pacman -S does. I even tested it while ssh'd into another computer to make sure:
[zotac@zotac ~]$ sudo pacman -Syy
:: Synchronizing package databases...
core 116.1 KiB 671K/s 00:00 [##############################################] 100%
extra 1809.8 KiB 4.36M/s 00:00 [##############################################] 100%
community 2.4 MiB 5.09M/s 00:00 [##############################################] 100%
multilib 121.9 KiB 704K/s 00:00 [##############################################] 100%
pipelight 79.2 KiB 145K/s 00:01 [##############################################] 100%
pipelight.sig 543.0 B 0.00B/s 00:00 [##############################################] 100%
archlinuxcn 342.4 KiB 1370K/s 00:00 [##############################################] 100%
ntarchw 1091.0 B 0.00B/s 00:00 [##############################################] 100%
ntarchw.sig 543.0 B 0.00B/s 00:00 [##############################################] 100%
[zotac@zotac ~]$ sudo pacman -S update
resolving dependencies...
looking for inter-conflicts...
Packages (1): update-1.1-1
Total Download Size: 0.00 MiB
Total Installed Size: 0.02 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages ...
update-1.1-1-any 1688.0 B 0.00B/s 00:00 [##############################################] 100%
(1/1) checking keys in keyring [##############################################] 100%
(1/1) checking package integrity [##############################################] 100%
(1/1) loading package files [##############################################] 100%
(1/1) checking for file conflicts [##############################################] 100%
(1/1) checking available disk space [##############################################] 100%
(1/1) installing update [##############################################] 100%
==> NOTE:
The script is named 'update' and the desktop calls it 'Update System'. Find it in the 'System' category or by seraching for update. Add 'Update System' to your panel for one-click system updating.
[zotac@zotac ~]$ exit
logout
Connection to zotac closed.
So, if you read through all of this, the answer to how you should do this is in there because I got it to work. You seem to already know how to make your private key since you are signing packages. This post should give you the rest of the information.
In my case, my public key is distributed with archlinuxcn and since I'm not really making ntarchw public and will always put ntarchw after archlinuxcn in pacman.conf, I don't need to worry about if other people's computers have my key. But, I also published it so it will be findable under my email colinnkeenan@gmail.com (Colin Keenan works too):
https://pgp.mit.edu/pks/lookup?search=c … n&exact=on
Offline
There's something flaky going on. Probably with that free website I have. Sometimes (like now) I can't get some of the sig files to download properly (like not even the db.sig file). I've deleted the whole repo for the moment and will look for another way tomorrow.
Offline