[SOLVED] How to sign my own git packages for adding to a private repo?

MountainX · 2020-10-15 20:10:21

I already have a GPG key configured. I have cloned the git source code package locally. I'm building in a chroot with extra-x86_64-build. I am able to build packages without signing. Now I want to build the package, sign it and add it to my private local repo with the signature.

What are the steps?

Below are my steps in some detail and where I'm having confusion or trouble:

preliminary general steps (all completed):

1. read wiki pages (such as https://wiki.archlinux.org/index.php/Creating_packages)
2. install base-devel, devtools, namcap, shellcheck
3. systemctl status haveged # make sure it is active

preliminary package signing steps (all completed):

1. review /usr/share/devtools/pacman-extra.conf

- I added my local private/custom repository to this file (with default SigLevel)

2. edit /etc/makepkg.conf:

- BUILDENV=(!distcc color !ccache check sign) # make sure `sign` is active
- PACKAGER="My Name <me@gmail.com>"
- GPGKEY="1234ABCD09876" # use your key full fingerprint uppercase, no whitespace

3. with an existing GPG key on my user's keyring do these steps:

- gpg --armor --output mykey.sec --export-secret-keys 1234ABCD09876
- sudo pacman-key -a mykey.sec
- sudo pacman-key --finger 1234ABCD09876
- sudo pacman-key --lsign-key 1234ABCD09876

prepare source files, PKGBUILD (completed):

1. git clone ${url} # or git pull if already cloned
2. inspect PKGBUILD
3. namcap -i PKGBUILD
4. makepkg --packagelist # inspect version number (optional)

Questions:

1. FYI - I am starting with internal & trusted source files. They are not signed and there are no sums in the PKGBUILD I start with.

2. how do I modify the PKGBUILD for including sums of the built package and its `.sig` file?

2.1. at what step is the package's `.sig` file added to the PKGBUILD? How is that done?

3. when are the sums for the built package added to the PKGBUILD?

3.1. when do I run this step?

makepkg -g >> PKGBUILD

3.2. when is this used instead?

updpkgsums

Next: build the package in a chroot env (I can do this only without package signing)

extra-x86_64-build

NOTE: I am running into this issue:
makepkg: fail to sign source package with dynamic version
https://bbs.archlinux.org/viewtopic.php?id=259771
(I guess this will be solved with the next release of pacman?)

add pkg to private repo (I can do this without pkg signing, but I have not succeeded in creating a signed package to test with):

- newpkg="mypackage.r10.918a28e-1-any.pkg.tar.zst" # example
- namcap -i "$newpkg"
- repoctl add --require-signature "$newpkg"

repo questions:

- is the --require-signature arg needed?

Last edited by MountainX (2020-10-18 16:57:49)

eschwartz · 2020-10-15 20:35:23

Package signatures have nothing to do with PKGBUILDs. Once you've built the package, you can run gpg--detach-sign $file before using repo-add.

I don't know what repoctl is or does.

I have a custom shell script I store in my repo/ directory: https://pkgbuild.com/~eschwartz/repo/x86_64/release.sh

I symlink it into $HOME/bin and use it to cp packages, sign them, and rsync them to a server host.

/path/to/release.sh -p PKGBUILD
/path/to/release.sh *.pkg.tar.zst

graysky · 2020-10-15 20:39:13

I use a little alias for this, replace XXXXXXXX with your key id

signit () {
	if [[ -z "$1" ]]
	then
		echo "Provide a filename and try again."
	else
		file="$1" 
		target_dts=$(date -d "$(stat -c %Y $file | awk '{print strftime("%c",$1)}')" +%Y%m%d%H%M.%S)  && gpg --detach-sign --local-user XXXXXXXX "$file" && touch -t "$target_dts" "$file.sig"
	fi
}

MountainX · 2020-10-15 21:57:42

eschwartz wrote:

Package signatures have nothing to do with PKGBUILDs. Once you've built the package, you can run gpg--detach-sign $file before using repo-add.
I don't know what repoctl is or does.
I have a custom shell script I store in my repo/ directory: https://pkgbuild.com/~eschwartz/repo/x86_64/release.sh
I symlink it into $HOME/bin and use it to cp packages, sign them, and rsync them to a server host.
/path/to/release.sh -p PKGBUILD
/path/to/release.sh *.pkg.tar.zst

Thank you for sharing your release.sh script. I'll study that. Also, thank you for all your work on Arch Linux for a long time.

repoctl is doing exactly the same as

repo-add -s -v ${reponame}.db.tar.gz "${pkgfiles[@]}"

The only difference (to me) is that you do not have to give it the reponame. With my config, it finds my repo without extra args.

Last edited by MountainX (2020-10-15 22:39:48)

MountainX · 2020-10-15 22:08:41

graysky wrote:

I use a little alias for this, replace XXXXXXXX with your key id
signit () {...}

That's a nice touch to match the .sig file timestamp to the package. I'll definitely use that. Thanks.
I don't even need to replace XXXXXXXX with my key id, because I have it configured as the default.

MountainX · 2020-10-15 22:59:24

@eschwartz

In regard to this issue, which you recently resolved:

makepkg: fail to sign source package with dynamic version
https://bbs.archlinux.org/viewtopic.php?id=259771

Is the current work-around to hard-code the version number in the PKGBUILD and not use pkgver() for VCS-derived versioning?

I'm using pacman 5.2.2-1 (2020-07-14). When do you expect your recent fixes for the above issue may be available in the core repo?

GaKu999 · 2020-10-16 00:16:22

MountainX wrote:

@eschwartz
In regard to this issue, which you recently resolved:
makepkg: fail to sign source package with dynamic version
https://bbs.archlinux.org/viewtopic.php?id=259771
Is the current work-around to hard-code the version number in the PKGBUILD and not use pkgver() for VCS-derived versioning?
I'm using pacman 5.2.2-1 (2020-07-14). When do you expect your recent fixes for the above issue may be available in the core repo?

No, you only need to change ${fullver} to $(get_full_version), or apply the attached patch to makepkg.
The line is 1361.

Re-read the thread

It will be available on the next pacman release, but that’s up to Allan (right?)

Last edited by GaKu999 (2020-10-16 00:16:57)

Allan · 2020-10-16 01:23:32

GaKu999 wrote:

It will be available on the next pacman release, but that’s up to Allan (right?)

Yes. I am hoping before the end of the year.

MountainX · 2020-10-16 02:22:34

Thanks for all the help. This is working for me now and I can add signed packages to my local repo and sign the database files. I have one more question that may be obvious to those with experience, but I'm not sure how this part works:

I want to mirror my local repo (including all signatures) to a remote server (outside of our LAN).

Do I just rsync everything (package files, package signatures, repo database files, repo database signatures, and repo symlinks) to the remote server? If so, is there anything in particular I need to know? (For example, do file permissions need any special attention or anything like that?)

BTW, I have SSH (and SFTP) acess, but no HTTPS access to the remote server. Since the remote server is not on our LAN and is not a webserver at all, I have not seen any of the options suggested in Pacman Tips_and_tricks that will work for me.

The ultimate end users will have access to get the packages from this remote server by means of SSH, but that's another story. I just need to get the entire package collection and database files there, with signatures, and that's why I'm leaning toward rsync. Will that work?

Last edited by MountainX (2020-10-16 02:45:10)

eschwartz · 2020-10-16 03:11:29

MountainX wrote:

Thank you for sharing your release.sh script. I'll study that. Also, thank you for all your work on Arch Linux for a long time.

No problem, happy to be of service.

MountainX wrote:

repoctl is doing exactly the same as
repo-add -s -v ${reponame}.db.tar.gz "${pkgfiles[@]}"
The only difference (to me) is that you do not have to give it the reponame. With my config, it finds my repo without extra args.

Then it should do the right thing just as long as the .sig file exists beforehand.

MountainX wrote:

I'm using pacman 5.2.2-1 (2020-07-14). When do you expect your recent fixes for the above issue may be available in the core repo?

That depends on a few factors.

- allan needs to do patch review and merge it to master
- allan needs to cut a new 6.0 release (see his reply)
- andrew might pull it into a maintenance release before 6.0, if there are other changes too (I'm not sure this is worth a release on its own...)

MountainX wrote:

Do I just rsync everything (package files, package signatures, repo database files, repo database signatures, and repo symlinks) to the remote server? If so, is there anything in particular I need to know? (For example, do file permissions need any special attention or anything like that?)

As long as the user can download the files using curl, file permissions are irrelevant. So your ftp/http server or /path/to/share needs read access, basically.

Straight up rsync of everything, is the best approach and should work fine.

MountainX wrote:

BTW, I have SSH (and SFTP) acess, but no HTTPS access to the remote server. Since the remote server is not on our LAN and is not a webserver at all, I have not seen any of the options suggested in Pacman Tips_and_tricks that will work for me.
The ultimate end users will have access to get the packages from this remote server by means of SSH, but that's another story. I just need to get the entire package collection and database files there, with signatures, and that's why I'm leaning toward rsync. Will that work?

Since curl supports both ssh and sftp, I suspect this should/might work for the ultimate end user using the builtin libcurl downloader and ssh:// or sftp:// urls, but I've never tested it.

Worst comes to worst, you would use XferCommand in pacman.conf with a custom command to download files.

eschwartz · 2020-10-21 02:34:27

GaKu999 wrote:

MountainX wrote:
@eschwartz
In regard to this issue, which you recently resolved:
makepkg: fail to sign source package with dynamic version
https://bbs.archlinux.org/viewtopic.php?id=259771
Is the current work-around to hard-code the version number in the PKGBUILD and not use pkgver() for VCS-derived versioning?
I'm using pacman 5.2.2-1 (2020-07-14). When do you expect your recent fixes for the above issue may be available in the core repo?
No, you only need to change ${fullver} to $(get_full_version), or apply the attached patch to makepkg.
The line is 1361.
Re-read the thread
It will be available on the next pacman release, but that’s up to Allan (right?)

This is now merged to master and available to those who like exciting things, at:
https://wiki.archlinux.org/index.php/Un … #eschwartz
https://aur.archlinux.org/packages/pacman-git

Arch Linux

#1 2020-10-15 20:10:21

[SOLVED] How to sign my own git packages for adding to a private repo?

Questions:

#2 2020-10-15 20:35:23

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#3 2020-10-15 20:39:13

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#4 2020-10-15 21:57:42

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#5 2020-10-15 22:08:41

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#6 2020-10-15 22:59:24

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#7 2020-10-16 00:16:22

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#8 2020-10-16 01:23:32

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#9 2020-10-16 02:22:34

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#10 2020-10-16 03:11:29

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

#11 2020-10-21 02:34:27

Re: [SOLVED] How to sign my own git packages for adding to a private repo?

Board footer