5

Quick Version

I have set up a private deb repository and copied some signed deb packages into it. I have installed the signing key locally. However when I try to install from the repo I get this warning:

WARNING: The following packages cannot be authenticated!

When installing manually, I can just press y but I want to install these packages automatically using puppet, and that fails.

So what's the problem? Do I need to resign packages with a key I control? Is there a better way of ensuring I have a particular version of puppet installed?

More Details

I have got the packages from the puppet debian repository - http://apt.puppetlabs.com/ I just copy the package from (for lucid) this directory

The repository is then updated with a script that runs these commands for each repo:

cd /var/www/html/apt/ubuntu/lucid
dpkg-scanpackages binary /dev/null | gzip -9c > binary/Packages.gz
dpkg-scansources sources /dev/null | gzip -9c > sources/Sources.gz

I have installed the signing key on the client.

$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
...
pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
uid                  Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
...

The rationale for doing this is that I want all puppet clients to be the same version. So all machines should get the packages from my repository by using the following pin in /etc/apt/preferences.d/puppet:

Package: puppet puppet-common facter
Pin: origin deb.example.org
Pin-Priority: 1001

(We are currently using puppet 2.6.x, so I need a priority of 1001 to downgrade precise clients from 2.7.x).

I have read about holding packages but that doesn't help me change package versions.

All suggestions welcome.

Community
  • 1
Hamish Downer
  • 9,142
  • 6
  • 36
  • 49

1 Answers1

4

Are you sure the packages are signed? I'm not sure, but I guess there should be appropriate signature files. We are signing our whole repositories, so there is only one signature for the whole tree, and we let reprepro do this for us.

Michuelnik
  • 3,260
  • 3
  • 18
  • 24
  • Is there a command to show the signature for a file? – Hamish Downer Nov 29 '12 at 15:45
  • 1
    @HamishDowner It's not the package that's signed at all; you should be using a tool like `reprepro` that will handle updating the package index's signature for you; a key for your repository, not the puppet labs key, will be the one your clients need to trust. – Shane Madden Nov 30 '12 at 05:46
  • @ShaneMadden OK, I clearly need to do some more reading, thank you for the pointers. – Hamish Downer Nov 30 '12 at 11:13
  • 1
    This is correct. You can include a direct signature on deb source (on a .dsc file) or on a .changes file (which defines a set of debs/source for upload to an apt server), but I don't think there's any commonly supported way to include a signature in a .deb itself. It's up to the apt server to make sure it only includes verified packages and sign its own packages lists (or use upstream package lists verbatim). – the paul Nov 30 '12 at 17:43