You are not logged in.

#1 2014-09-12 00:28:25

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Non-official repository package creation, download, and installtion

I'd like to be able to build a package that can be downloaded and installed remotely.  This is a basic utility package that I feel others can use.  So I'd like decent amount of access to it with a minimum of setup.  From what I know: this is my general knowledge of how to do it.  For any that could help direct me I'd appreciate it.

From what I gather, I need to:

  • Create a personal GPG key.

  • Start the GPU agent (if not wanting to enter the passphrase).

  • Run makepkg --sign or enable in makepkg.conf.

After I've done these, I'm guessing:

  • A *.pkg.tar.xz file will be created, and a *.pkg.tar.xz.sig?!

  • I upload both of them to the server.

  • The user invokes pacman -U url://...pkg.tar.xz and pacman also downloads the *.pkg.tar.xz.sig.

  • Everything installs fine, world peace, cubs win pennant, blah...

Currently I just built a package with plain old makepkg syntax and am getting this when tryin to install, I get:

error: failed retrieving file 'armrr-0.80-1-any.pkg.tar.xz.sig' from github.com : The requested URL returned error: 404 Not Found
warning: failed to download https://github.com/Gen2ly/armrr/blob/master/armrr-0.80-1-any.pkg.tar.xz.sig
loading packages...
error: '/var/cache/pacman/pkg/armrr-0.80-1-any.pkg.tar.xz': invalid or corrupted package (PGP signature)

What I'd like to know is:

  • Is this the best way to go about this?  Perhaps, maybe, it's just better to tell the user to temporarily disable package checks???  Probably not, but I'd thought I'd ask.

  • Does the user need my key to be able to install the package (similiar to package archlinux-keyring)?

  • GnuPG wiki page has a lot of details is there a more concise guide?

  • I'll read all this one day smile.

Last edited by Gen2ly (2014-09-12 12:21:07)


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#2 2014-09-12 00:32:54

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Non-official repository package creation, download, and installtion

Why do you want to distribute a built package rather than the source?  It is just a script file, so there is nothing to compile: so a user running `makepkg -i` would take no more time (possibly less) than downloading and installing your prebuilt package.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2014-09-12 11:59:40

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Non-official repository package creation, download, and installtion

Can't type effectively on the phone now but yes, build with makepkg or a script, sign, use repo-add helper script to make the repo fen files.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2014-12-06 21:49:35

colinkeenan
Member
From: Kansas City, MO USA
Registered: 2013-06-13
Posts: 213
Website

Re: Non-official repository package creation, download, and installtion

I've been searching for an answer to this problem of being able to easily download the .sig file with curl/whatever, but then pacman -S ... gives the complaint listed by OP. Always the people "helping" just try to convince the person to not do what they wanted to do.

In my case, just testing with only one signed package, I went the extra step and made the .db and even signed that. There's no trouble getting the database sig file, but all of a sudden, there's an issue getting the package .sig file that's in the same place!

Why can't anyone provide an actual explanation or some kind of guidance for this issue instead of just trying to convince people they shouldn't be putting built packages up or that they shouldn't be trying to verify the signature if they do.

Offline

#5 2014-12-07 00:12:54

colinkeenan
Member
From: Kansas City, MO USA
Registered: 2013-06-13
Posts: 213
Website

Re: Non-official repository package creation, download, and installtion

Actually, Gen2ly, I'd like to know more about your success with pacman -U url... because it fails for me. Also, since your package is already built, what makepkg command are you using?

I have built many signed packages and uploaded them to colinkeenan@build.archlinuxcn.org:repo. This works fine, but I'm not the one building the database in that case, and I'm sure they are not using repo-add.

For a package I want to distribute that is not welcome on the AUR or archlinuxcn, I have built the signed package, put it & sig file in a directory ~/ntarchw, and used repo-add:

repo-add --sign ntarchw/ntarchw.db.tar.gz ntarchw/*.pkg.tar.xz

I put the entire ~/ntarchw directory onto a free website I made years ago as a minor part of my Firefox extension: http://rentap.comyr.com/ntarchw/

If you click that link above, you will see the following:

Index of /ntarchw

  Parent Directory
  ntarchw.db
  ntarchw.db.sig
  ntarchw.db.tar.gz
  ntarchw.db.tar.gz.sig
  update-1.1-1-any.pkg.tar.xz
  update-1.1-1-any.pkg.tar.xz.sig

Here's what I added to my

/etc/pacman.conf

:

[ntarchw]
Server = http://rentap.comyr.com/ntarchw

I have no problem adding the signed repo database:

/home/colin% sudo pacman -Syy
[sudo] password for colin: 
:: Synchronizing package databases...
 core                                                    116.1 KiB   679K/s 00:00 [##############################################] 100%
 extra                                                  1809.8 KiB  4.34M/s 00:00 [##############################################] 100%
 community                                                 2.4 MiB  5.09M/s 00:00 [##############################################] 100%
 multilib                                                121.9 KiB   713K/s 00:00 [##############################################] 100%
 pipelight                                                79.2 KiB   115K/s 00:01 [##############################################] 100%
 pipelight.sig                                           543.0   B  0.00B/s 00:00 [##############################################] 100%
 archlinuxcn                                             342.4 KiB   901K/s 00:00 [##############################################] 100%
 ntarchw                                                   2.2 KiB  0.00B/s 00:00 [##############################################] 100%
 ntarchw.sig                                             543.0   B  0.00B/s 00:00 [##############################################] 100%
/home/colin% 

I can also query the package in the repo:

/home/colin% pacman -Si update
Repository     : ntarchw
Name           : update
Version        : 1.1-1
Description    : simple script and desktop file for doing a system update using yaourt
Architecture   : any
URL            : https://github.com/colinkeenan/update
Licenses       : GPL
Groups         : None
Provides       : None
Depends On     : yaourt
Optional Deps  : None
Conflicts With : None
Replaces       : None
Download Size  :   1.64 KiB
Installed Size :  21.00 KiB
Packager       : Unknown Packager
Build Date     : Sat 06 Dec 2014 02:06:39 AM CST
Validated By   : MD5 Sum  SHA256 Sum  Signature

/home/colin% 

I also have no trouble downloading the package and sig file using curl, and then installing with pacman -U:

/home/colin% curl -O http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1688  100  1688    0     0  19523      0 --:--:-- --:--:-- --:--:-- 19627
/home/colin% curl -O http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   543  100   543    0     0   6190      0 --:--:-- --:--:-- --:--:--  6241
/home/colin% sudo pacman -U update-1.1-1-any.pkg.tar.xz 
[sudo] password for colin: 
loading packages...
warning: update-1.1-1 is up to date -- reinstalling
resolving dependencies...
looking for inter-conflicts...

Packages (1): update-1.1-1

Total Installed Size:   0.02 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                    [##############################################] 100%
(1/1) checking package integrity                                                  [##############################################] 100%
(1/1) loading package files                                                       [##############################################] 100%
(1/1) checking for file conflicts                                                 [##############################################] 100%
(1/1) checking available disk space                                               [##############################################] 100%
(1/1) reinstalling update                                                         [##############################################] 100%
==> NOTE: 
    The script is named 'update' and the desktop calls it 'Update System'. Find it in the 'System' category or by seraching for update. Add 'Update System' to your panel for one-click system updating.
/home/colin% 

But, I can't install with pacman -U url...

/home/colin% sudo pacman -U http://rentap.comyr.com/ntarchw/update-1.1-1-any.pkg.tar.xz
 update-1.1-1-any                                       1688.0   B   824K/s 00:00 [##############################################] 100%
loading packages...
error: /var/cache/pacman/pkg/update-1.1-1-any.pkg.tar.xz: unsupported signature formaterror: GPGME error: No data
error: '/var/cache/pacman/pkg/update-1.1-1-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
/home/colin% 

It got the full package, but none of the signature. When I started writing all of this, I was having the same problem with pacman -S, but along the way, I realized I may have had a corrupted upload and re-did it, and although pacman -U url doesn't work, pacman -S does. I even tested it while ssh'd into another computer to make sure:

[zotac@zotac ~]$ sudo pacman -Syy
:: Synchronizing package databases...
 core                                                    116.1 KiB   671K/s 00:00 [##############################################] 100%
 extra                                                  1809.8 KiB  4.36M/s 00:00 [##############################################] 100%
 community                                                 2.4 MiB  5.09M/s 00:00 [##############################################] 100%
 multilib                                                121.9 KiB   704K/s 00:00 [##############################################] 100%
 pipelight                                                79.2 KiB   145K/s 00:01 [##############################################] 100%
 pipelight.sig                                           543.0   B  0.00B/s 00:00 [##############################################] 100%
 archlinuxcn                                             342.4 KiB  1370K/s 00:00 [##############################################] 100%
 ntarchw                                                1091.0   B  0.00B/s 00:00 [##############################################] 100%
 ntarchw.sig                                             543.0   B  0.00B/s 00:00 [##############################################] 100%
[zotac@zotac ~]$ sudo pacman -S update
resolving dependencies...
looking for inter-conflicts...

Packages (1): update-1.1-1

Total Download Size:    0.00 MiB
Total Installed Size:   0.02 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages ...
 update-1.1-1-any                                       1688.0   B  0.00B/s 00:00 [##############################################] 100%
(1/1) checking keys in keyring                                                    [##############################################] 100%
(1/1) checking package integrity                                                  [##############################################] 100%
(1/1) loading package files                                                       [##############################################] 100%
(1/1) checking for file conflicts                                                 [##############################################] 100%
(1/1) checking available disk space                                               [##############################################] 100%
(1/1) installing update                                                           [##############################################] 100%
==> NOTE: 
    The script is named 'update' and the desktop calls it 'Update System'. Find it in the 'System' category or by seraching for update. Add 'Update System' to your panel for one-click system updating.
[zotac@zotac ~]$ exit
logout
Connection to zotac closed.

So, if you read through all of this, the answer to how you should do this is in there because I got it to work. You seem to already know how to make your private key since you are signing packages. This post should give you the rest of the information.

In my case, my public key is distributed with archlinuxcn and since I'm not really making ntarchw public and will always put ntarchw after archlinuxcn in pacman.conf, I don't need to worry about if other people's computers have my key. But, I also published it so it will be findable under my email colinnkeenan@gmail.com (Colin Keenan works too):
https://pgp.mit.edu/pks/lookup?search=c … n&exact=on

Offline

#6 2014-12-09 06:23:19

colinkeenan
Member
From: Kansas City, MO USA
Registered: 2013-06-13
Posts: 213
Website

Re: Non-official repository package creation, download, and installtion

There's something flaky going on. Probably with that free website I have. Sometimes (like now) I can't get some of the sig files to download properly (like not even the db.sig file). I've deleted the whole repo for the moment and will look for another way tomorrow.

Offline

Board footer

Powered by FluxBB