Articles‎ > ‎Opscode Chef‎ > ‎

Managing own apt repository key

There is a change you have own apt repository if you run Debian or Debian-like system (Ubuntu?) and doing own deb packaging. In order to make apt to not complain about not-signed packages you need create GPG key pair for the repository and push public key on every node.
The Opscode Chef recipe should contain public part of GPG key in mykey.gpg file in files/default directory. The Chef recipe to push file looks like this:

execute "add_my_apt_key" do
        command "/usr/bin/apt-key add /usr/share/keyrings/mykey.gpg"
        action :nothing
remote_file  "/usr/share/keyrings/zmykey.gpg" do
        mode "644"
        owner "root"
        group "root"
        action :create
        backup false
        source  "mykey.gpg"
# sha256
#        checksum ""
        notifies :run, resources(:execute => "add_my_apt_key")

Speaking about repository - this key is not being used to sign a package (i e package stays intact) but rather used to sign list of MD5 signatures which you generate by package indexing script:

apt-ftparchive generate ./apt-ftparchive.conf
apt-ftparchive -c ./apt-custom-release.conf release /var/www/myrepo/dists/custom > /var/www/myrepo/dists/custom/Release
gpg --sign -ba --default-key -o /var/www/myrepo/dists/custom/Release.gpg /var/www/myrepo/dists/custom/Release

Assuming private key with email is in the keyring of current user executing this command.
Sample apt-custom-release.conf:

APT::FTPArchive::Release::Origin "Mycompany";
APT::FTPArchive::Release::Label "Myrepo";
APT::FTPArchive::Release::Suite "custom";
APT::FTPArchive::Release::Codename "custom";
APT::FTPArchive::Release::Architectures "i386 amd64 source";
APT::FTPArchive::Release::Components "main";
APT::FTPArchive::Release::Description "Custom debian packages for";

Sample apt-ftparchive.conf:

Dir {
  ArchiveDir "/var/www/myrepo";

BinDirectory "dists/custom/main/binary-i386" {
    Packages "dists/custom/main/binary-i386/Packages";
    Contents "dists/custom/Contents-i386";
    SrcPackages "dists/custom/main/source/Sources";

BinDirectory "dists/custom/main/binary-amd64" {
    Packages "dists/custom/main/binary-amd64/Packages";
    Contents "dists/custom/Contents-amd64";
    SrcPackages "dists/custom/main/source/Sources";

Tree "dists/custom" {
  Sections "main";
    Architectures "i386 source amd64";

The packages go into /var/www/myrepo/dists/custom/main/<Platform>/<anysubdirectory>  .