challenge setting up apt secure for local repository

To: deity@lists.debian.org, walters@debian.org, ijones@syntaxpolice.org
Cc: Federico Grau <grauf@rfa.org>, rivendell@rfa.org
Subject: challenge setting up apt secure for local repository
From: Federico Grau <grauf@rfa.org>
Date: Tue, 29 May 2007 18:39:42 -0400
Message-id: <[🔎] 20070529223942.GC27782@rfa.org>
Hello Colin Walters, Isaac Jones, and apt development team,

I write you asking for help out of desparation, as I am stuck trying to get
apt-secure working and I could find no better support forum.

We have been running our own local repository of custom Debian packages for
our radio facility for years (this flexibility is one of the main reasons we
have chosen Debian as our OS of choice).  It has worked very well on its own,
but I am stuck trying to add apt-secure support for our Etch packages.

    # Etch portion of our repository
    http://techweb.rfa.org/debrfa/dists/etch/

    # root directory of our repository
    http://techweb.rfa.org/debrfa/

    # /etc/apt/sources.list entry for repository
    deb http://techweb.rfa.org/debrfa etch main
    deb-src http://techweb.rfa.org/debrfa etch main

We have a directory structure where deb packages and sources are placed in the
correct sub-directories:
    grauf@riffraff:/home/debrfa$ find dists/ -type d
    dists/sid
    dists/sid/main
    dists/sid/main/binary-i386
    dists/sid/main/source
    dists/etch
    dists/etch/main
    dists/etch/main/source
    dists/etch/main/binary-i386
    dists/etch/main/binary-amd64

Then we have a script where the Packages and Sources files are generated using
dpkg-scanpackages and dpkg-scansources:
    dpkg-scanpackages dists/etch/main/binary-i386/ file | \
        gzip > dists/etch/main/binary-i386/Packages.gz

    dpkg-scansources dists/etch/main/source/ | \
        gzip > dists/etch/main/source/Sources.gz

In that script the Release file is also generated using "apt-ftparchive".  I
believe my problems are with an incorrect Release file, however the
documenation I have found on that file has been minimal (and I am very unsure
of the required configuration options or their meaning):
    apt-ftparchive \
        -o"APT::FTPArchive::Release::Origin=http://techweb.rfa.org/debrfa/ archive" \
        -o"APT::FTPArchive::Release::Label=testlabel" \
        -o"APT::FTPArchive::Release::Codename=etch" \
        -o"APT::FTPArchive::Release::Suite=stable" \
        release  dists/etch  > dists/etch/Release


As far as the cryptographic portion goes, I believe I have that portion setup
correctly.  I have a gpg key:
    [grauf@grauf apt_hack]$ gpg --list-keys B5EF9702
    pub   1024D/B5EF9702 2006-08-02 [expires: 2007-10-26]
    uid                  Federico Grau (work key, fiscal 2005) <grauf@rfa.org>
    sub   4096g/6B5ED0F6 2006-08-02 [expires: 2007-10-26]
Which I have added to "apt-key":
    grauf:~# apt-key list
    /etc/apt/trusted.gpg
    --------------------
    pub   1024D/2D230C5F 2006-01-03 [expired: 2007-02-07]
    uid                  Debian Archive Automatic Signing Key (2006)
    <ftpmaster@debian.org>

    pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
    uid                  Debian Archive Automatic Signing Key (4.0/etch)
    <ftpmaster@debian.org>

    pub   1024D/ADB11277 2006-09-17
    uid                  Etch Stable Release Key <debian-release@lists.debian.org>

    pub   1024D/B5EF9702 2006-08-02 [expires: 2007-10-26]
    uid                  Federico Grau (work key, fiscal 2005) <grauf@rfa.org>
    sub   4096g/6B5ED0F6 2006-08-02 [expires: 2007-10-26]
And which I use to sign the Release file:
    gpg --sign -ba -o dists/etch/Release.gpg dists/etch/Release



Unfortunately my symptoms are an "aptitude update" (or apt-get update)
fail...

    grauf:~# aptitude update
    Get:1 http://techweb.rfa.org etch Release.gpg [378B]
    Get:2 http://techweb.rfa.org etch Release.gpg [189B]
    Hit http://techweb.rfa.org etch Release
    Hit http://techweb.rfa.org etch Release
    Ign http://techweb.rfa.org etch/main Packages/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Packages/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Packages/DiffIndex
    Ign http://techweb.rfa.org etch/main Sources/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Sources/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Sources/DiffIndex
    Hit http://techweb.rfa.org etch/main Packages
    Hit http://techweb.rfa.org etch/non-free Packages
    Hit http://techweb.rfa.org etch/contrib Packages
    Hit http://techweb.rfa.org etch/main Sources
    Hit http://techweb.rfa.org etch/non-free Sources
    Hit http://techweb.rfa.org etch/contrib Sources
    Get:3 http://security.debian.org etch/updates Release.gpg [189B]
    Hit http://security.debian.org etch/updates Release
    Ign http://security.debian.org etch/updates/main Packages/DiffIndex
    Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
    Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
    Hit http://security.debian.org etch/updates/main Packages
    Hit http://security.debian.org etch/updates/contrib Packages
    Hit http://security.debian.org etch/updates/non-free Packages
    Fetched 3B in 0s (4B/s)
    Reading package lists... Done
    W: Couldn't stat source package list http://techweb.rfa.org etch/main
    Packages
    (/var/lib/apt/lists/techweb.rfa.org_debrfa_dists_etch_main_binary-i386_Packages)
    - stat (2 No such file or directory)
    W: You may want to run apt-get update to correct these problems

    grauf:~# apt-get update
    Get:1 http://techweb.rfa.org etch Release.gpg [378B]
    Get:2 http://techweb.rfa.org etch Release.gpg [189B]
    Hit http://techweb.rfa.org etch Release
    Hit http://techweb.rfa.org etch Release
    Ign http://techweb.rfa.org etch/main Packages/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Packages/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Packages/DiffIndex
    Ign http://techweb.rfa.org etch/main Sources/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Sources/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Sources/DiffIndex
    Hit http://techweb.rfa.org etch/main Packages
    Hit http://techweb.rfa.org etch/non-free Packages
    Hit http://techweb.rfa.org etch/contrib Packages
    Hit http://techweb.rfa.org etch/main Sources
    Hit http://techweb.rfa.org etch/non-free Sources
    Hit http://techweb.rfa.org etch/contrib Sources
    Get:3 http://security.debian.org etch/updates Release.gpg [189B]
    Hit http://security.debian.org etch/updates Release
    Ign http://security.debian.org etch/updates/main Packages/DiffIndex
    Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
    Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
    Hit http://security.debian.org etch/updates/main Packages
    Hit http://security.debian.org etch/updates/contrib Packages
    Hit http://security.debian.org etch/updates/non-free Packages
    Fetched 3B in 0s (4B/s)
    Failed to fetch http://techweb.rfa.org/debrfa/dists/etch/Release  Unable
    to find expected entry  main/binary-i386/Packages in Meta-index file
    (malformed Release file?)
    Reading package lists... Done
    W: Couldn't stat source package list http://techweb.rfa.org etch/main
    Packages
    (/var/lib/apt/lists/techweb.rfa.org_debrfa_dists_etch_main_binary-i386_Packages)
    - stat (2 No such file or directory)
    W: You may want to run apt-get update to correct these problems
    E: Some index files failed to download, they have been ignored, or old
    ones used instead.


If I remove the configuration options from "apt-ftparchive", I instead get the
following error when trying aptitude update:

    grauf:~# aptitude update
    Get:1 http://techweb.rfa.org etch Release.gpg [378B]
    Get:2 http://techweb.rfa.org etch Release.gpg [189B]
    Hit http://techweb.rfa.org etch Release
    Get:3 http://techweb.rfa.org etch Release [1100B]
    Ign http://techweb.rfa.org etch/main Packages/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Packages/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Packages/DiffIndex
    Ign http://techweb.rfa.org etch/main Sources/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Sources/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Sources/DiffIndex
    Hit http://techweb.rfa.org etch/main Packages
    Hit http://techweb.rfa.org etch/non-free Packages
    Hit http://techweb.rfa.org etch/contrib Packages
    Hit http://techweb.rfa.org etch/main Sources
    Hit http://techweb.rfa.org etch/non-free Sources
    Hit http://techweb.rfa.org etch/contrib Sources
    Get:4 http://security.debian.org etch/updates Release.gpg [189B]
    Hit http://security.debian.org etch/updates Release
    Ign http://security.debian.org etch/updates/main Packages/DiffIndex
    Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
    Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
    Hit http://security.debian.org etch/updates/main Packages
    Hit http://security.debian.org etch/updates/contrib Packages
    Hit http://security.debian.org etch/updates/non-free Packages
    Fetched 1291B in 0s (1788B/s)
    Reading package lists... Done
    W: Conflicting distribution: http://techweb.rfa.org etch Release (expected
    etch but got )
    W: Couldn't stat source package list http://techweb.rfa.org etch/main
    Packages
    (/var/lib/apt/lists/techweb.rfa.org_debrfa_dists_etch_main_binary-i386_Packages)
    - stat (2 No such file or directory)
    W: You may want to run apt-get update to correct these problems

    grauf:~# apt-get update
    Get:1 http://techweb.rfa.org etch Release.gpg [378B]
    Get:2 http://techweb.rfa.org etch Release.gpg [189B]
    Hit http://techweb.rfa.org etch Release
    Hit http://techweb.rfa.org etch Release
    Ign http://techweb.rfa.org etch/main Packages/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Packages/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Packages/DiffIndex
    Ign http://techweb.rfa.org etch/main Sources/DiffIndex
    Ign http://techweb.rfa.org etch/non-free Sources/DiffIndex
    Ign http://techweb.rfa.org etch/contrib Sources/DiffIndex
    Hit http://techweb.rfa.org etch/main Packages
    Hit http://techweb.rfa.org etch/non-free Packages
    Hit http://techweb.rfa.org etch/contrib Packages
    Hit http://techweb.rfa.org etch/main Sources
    Hit http://techweb.rfa.org etch/non-free Sources
    Hit http://techweb.rfa.org etch/contrib Sources
    Get:3 http://security.debian.org etch/updates Release.gpg [189B]
    Hit http://security.debian.org etch/updates Release
    Ign http://security.debian.org etch/updates/main Packages/DiffIndex
    Ign http://security.debian.org etch/updates/contrib Packages/DiffIndex
    Ign http://security.debian.org etch/updates/non-free Packages/DiffIndex
    Hit http://security.debian.org etch/updates/main Packages
    Hit http://security.debian.org etch/updates/contrib Packages
    Hit http://security.debian.org etch/updates/non-free Packages
    Fetched 3B in 0s (4B/s)
    Failed to fetch http://techweb.rfa.org/debrfa/dists/etch/Release  Unable
    to find expected entry  main/binary-i386/Packages in Meta-index file
    (malformed Release file?)
    Reading package lists... Done
    W: Conflicting distribution: http://techweb.rfa.org etch Release (expected
    etch but got )
    W: Couldn't stat source package list http://techweb.rfa.org etch/main
    Packages
    (/var/lib/apt/lists/techweb.rfa.org_debrfa_dists_etch_main_binary-i386_Packages)
    - stat (2 No such file or directory)
    W: You may want to run apt-get update to correct these problems
    E: Some index files failed to download, they have been ignored, or old
    ones used instead.


My question is, "where am I going wrong"?  Is there something missing with my
Release file, and if so how can I correct it?


respectfully thanks,
donfede

-- 
Federico Grau
Free Software Developer and Sysadmin
Radio Free Asia
2025 M Street, NW
Suite 300
Washington, DC  20036
202-587-2046  Telephone
202-721-7468  Facsimile
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and may
contain information that is privileged and confidential.  Any unauthorized
dissemination, distribution, or copying is strictly prohibited.  If you
receive this transmission in error, please contact network@rfa.org.
Reply to:
Prev by Date: FW: Do Fianncial Operations With Our Help
Next by Date: Not sure about the logic in apt-cache's DisplayRecord
Previous by thread: FW: Do Fianncial Operations With Our Help
Next by thread: Not sure about the logic in apt-cache's DisplayRecord
Index(es):
- Date
- Thread