自建可信的APT源

自建可信APT源

介绍

生成GPG keys用于签名

apt-get install rng-tools
# 安装完成时默认会提示启动失败
Job for rng-tools.service failed. See 'systemctl status rng-tools.service' and 'journalctl -xn' for details.
invoke-rc.d: initscript rng-tools, action "start" failed.
# 手动启动rngd,并指定伪随机设置来获取熵,另外ping -f ip也会增加熵
rngd -r /dev/urandom

生成密钥

gpg --gen-key
# 默认RSA and RSA 如果没出现此项请执行 gpg --full-generate-key
# 密钥长度为4096
# 0 永不过期
# 填写real name和email
# 添加密码,gpg密码一旦忘记就无法找回的
pub   rsa4096 2017-07-08 [SC]
      084EFD85C4CD8057FA94C7FAC826B1B6EE875BF7
      084EFD85C4CD8057FA94C7FAC826B1B6EE875BF7
uid                      yi <[email protected]>
sub   rsa4096 2017-07-08 [E]
#在终端执行
gpg --edit-key EE875BF7
#输入 addkey
gpg> addkey
# (4) RSA (sign only)
# 4096
# 子密钥时间大概1年足够了 1y
sec  rsa4096/C826B1B6EE875BF7
     created: 2017-07-08  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/68FDDA5252F0C052
     created: 2017-07-08  expires: never       usage: E
ssb  rsa4096/9F8D0ABA9A0B6D06
     created: 2017-07-08  expires: 2018-07-08  usage: S
[ultimate] (1). yi <[email protected]>
# 保存 save
gpg> save

导出密钥

#用主密钥ID导出密钥
gpg --export-secret-key EE875BF7 > private.key
gpg --export EE875BF7 >> private.key
# 妥善保管此文件,private.key包含您的私钥,公钥,加密子项和签名子项
rm private.key
# 导出公钥和子密钥
gpg --export EE875BF7 > public.key
gpg --export-secret-subkeys 9A0B6D06 > signing.key
# 删除主密钥
gpg --delete-secret-key EE875BF7
# 导入签名子项
gpg --import public.key signing.key
# 检查是否存在主密钥 #表示未安装主密钥
gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec#  rsa4096 2017-07-08 [SC]
      084EFD85C4CD8057FA94C7FAC826B1B6EE875BF7
uid           [ultimate] yi <[email protected]>
ssb   rsa4096 2017-07-08 [E]
ssb   rsa4096 2017-07-08 [S] [expires: 2018-07-08]
# 签名密钥
gpg --keyserver keyserver.ubuntu.com --send-key EE875BF7

制作Deb包

请参考:制作Deb一文.

为Deb签名

# 安装dpkg-sig
apt-get install dpkg-sig
# 签名
dpkg-sig -k 9A0B6D06 --sign builder dps_0.0.1_amd64.deb

创建仓库

# 安装reprepro
apt-get install reprepro
# 创建repositories
mkdir -p /data/deb/debian/9/conf/
touch /data/deb/debian/9/conf/{distributions,options,override.hack}
# distributions
Origin: dl
Label: dl
Codename: hack
Architectures: i386 amd64 source
Components: main pre
Description: ysicing debian package repo
SignWith: 9A0B6D06
# options
verbose
basedir /data/deb/debian/9
ask-passphrase
# 添加软件
reprepro -Vb /data/deb/debian/9  -C main -P optional -S net  includedeb hack deb/dps_0.0.1_amd64.deb

安装nginx

可以参考dc-proxy项目.

server {
	listen 80;
	server_name dl.ysicing.net;
	access_log /data/proxy/acc.log;
	error_log /data/proxy/err.log;

	location / {
	root /data/deb/;
	autoindex on;
	index dl.html;
	#rewrite ^/(.*)$ https://dl.ysicing.net/$1 permanent;
	}
	location ~ /dl.html {
	rewrite ^/(.*)$ https://dl.ysicing.net/$1 permanent;
	}
	location ~ /(.*)/(conf|db)/ {
		deny all;
		return 404;
	}
}
server {
    listen 443;
    server_name dl.ysicing.net;
    ssl on;
    ssl_certificate   /data/proxy/dl.pem;
    ssl_certificate_key /data/proxy/dl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    autoindex on;
    access_log /data/proxy/acc_https.log;
	  error_log /data/proxy/err_https.log;
	  location / {
	    root /data/deb/;
	    autoindex on;
	    index dl.html;
	  }
    location ~ /(.*)/(db|conf) {
	    deny all;
	    return 404;
	  }
}

运行

docker run -it -d -p 80:80 -p 443:443 -v /data:/data --name proxy nvwa/dc_proxy:v1.0-17

End

Demo,可以手动安装dps软件。

*****
Written by ysicing on 28 June 2017