Create and Manage a GPG Authenticated APT Repository

2016.02.09 | Yuki Rea

This tutorial demonstrates how to easily create and manage an APT repository which uses GPG authentication. This is Debian/Ubuntu specific but can be easily adapted for other Linux distributions. The repository can then be published by setting up an HTTP server or by syncing it to Amazon S3, Sourceforge, and other hosting services.

I used the following page from the Debian Wiki for reference, you may find it helpful if you intend to set up an Apache web server for your repository.
Debian Repository - Setup With Reprepro

[A1] Installing Necessary Utilities

Utilities that will be used for creating and managing repositories include:

  1. gnupg
  2. reprepro

Install them using the following command:

1 sudo apt-get install gnupg reprepro

[A2] Creating a New GPG Authentication Key

Run the following command to create a new GPG key. Follow the instructions and chose your desired settings. Take note of the username, email and password you chose, you will need them later.

1 sudo gpg --gen-key

[A3] Export Secret GPG Key.

Save this in a safe place and preferably in more than one location. If lost you will no longer be able to manage your repository. Replace the [highlighted] text with your options.

1 sudo gpg --export-secret-key -a "[username]" > [desired directory to save key]/secret.key.gpg

[A4] Create Repository Directory Tree 1/2

  1. Create a directory you wish to be the root of the repository.
  2. Create a new directory named " conf " inside the root directory of your repo which you just created.

[A5] Export Public GPG Key to Repository.

Export the public GPG key to your repository so users will be able to download and install it. You should make this easy to install either with a download link or a "wget + apt-key add" command. Users of your repository will need this to install packages with authentication. You can still force packages to install with out the GPG authentication key but I do not recommend this.

1 sudo gpg --armor --export [username] [email address] >> [path to root of repo]/key/[name your key].deb.key.gpg

[A6] Create the "Distributions" File

  1. Inside the " conf " directory, create a new blank file, name it " distributions " and open it with the text editor of your choice. 
  2. Now you will set the dist options for your repository. Below is an example of  how to format a distributions file for a repository that contains packages for 2 distributions. Replace the text after each ' : ' with your desired options. Exclude the light text from the distributions file as they are just comments.
  3. Save and close the file. 
 1 Origin: your alias or project name
 2 Label: project name
 3 Suite: stable
 4 Codename: distro1 # example, "Trusty" for Ubuntu 14.04 Trusty Tahr
 5 Version: version number of distro1 # example, "14.04" for Ubuntu 14.04 Trusty Tahr
 6 Architectures: i386 amd64 # may vary depending on platform, for example "iphoneos-arm"
 7 Components: main
 8 Description: description of repo or project
 9 SignWith: yes
11 Origin: your alias or project name
12 Label: project name
13 Suite: stable
14 Codename: distro2 # example, "Wily" for Ubuntu 15.10 Wily Werewolf
15 Version: version number of distro2 # example, "15.10" for Ubuntu 15.10 Wily Werewolf
16 Architectures: i386 amd64 # may vary depending on platform, for example "iphoneos-arm"
17 Components: main
18 Description: description of repo or project
19 SignWith: yes

You can download the "distributions" file I made for my ShionOS repository for reference using the link below:

ShionOS Repository Distributions File

[A7] Create Repository Directory Tree 2/2

Now you need to use reprepro to generate the rest of the directory tree based on the distributions file you just created. To to this, run the following command.

1 sudo reprepro --ask-passphrase -Vb [path to root of repo] export

[A8] Adding Packages

To add a package to your repository use the following commands.

1 cd [path to root of repo]
2 sudo reprepro --ask-passphrase -Vb . includedeb [dist codename] [path to package]/[package filename].deb

[A9] Removing Packages

Before updating or replacing a package it will first need to be removed from the repository. You can do this with the following command.

3 sudo reprepro --ask-passphrase -Vb [path to root of repo] remove [dist codename] [package name]

[B1] Install Public GPG key

Users of the repository will need to do this in order to successfully authenticate packages.

4 sudo apt-key add [path to public key]/[public key filename]

[B2] Install Secret GPG key

The secret GPG key will need to be installed on any system you wish to manage your APT repository from.

5 sudo gpg --import [path to key]/[key filename]