1 Introduction
Since many enterprise intranet environments are not allowed to connect to the Internet, various sources on the Internet cannot be used. It is also troublesome to copy the software package back and forth when installing the software package, and the dependency problem must be solved. Therefore, it is necessary to build a local/LAN source. The configuration needs to use a host as a server to store the deb software package. Other hosts in the LAN can download the installation package through this host.
When the Ubuntu22 version builds the local area network source, APT requires all software sources to be digitally signed to ensure the integrity and security of the software package. For this purpose, a GPG signature must be created for the local source.
2 System environment
system version |
IP |
use |
Ubuntu 22.04.1 LTS |
192.168.20.125 |
Client ( ub-client ) |
Ubuntu 22.04.1 LTS |
192.168.20.128 |
Package source server ( ub-server ) |
6.2 Modify the host name on the server side and install the web service
(1) Modify the host name
root@ubuntn:~# hostnamectl --static set-hostname ub-server |
(2) Install the software package that provides http service
If the software warehouse is to provide services for other ubuntu servers in the intranet, it is necessary to install a software package that can provide network services. There are many such software, such as ftp, nginx, apache, etc. Here, the apache2 software package is used to provide network application services. The following apache2 software installation.
root@ub-server:~# apt install -y apache2 |
After installing apaches2 in ubuntu 22.04, the service will start automatically, as shown below:
6.3 Generate GPG key
When building network sources in Ubuntu 22, APT requires all software sources to be digitally signed to ensure the integrity and security of software packages. Now let’s install the gnupg package and create GPG signatures for local sources.
root@ub-server:~# apt-get install gnupg rng-tools -y |
Installing gnupg is used to generate GPG keys, and installing rng-tools to speed up the generation of gpg keys.
Generate GPG key
To generate the key, you need to enter the name, email address, and password. Next, generate the key and enter the relevant information according to the prompts.
root@ub-server:~# gpg --full-generate-key gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: repokey Email address: [email protected] Comment: You selected this USER-ID: "repokey <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o +------------------------------------------------------+ | Please enter the passphrase to | | protect your new key | | | | Passphrase: *_______________________________________ | | | | <OK> <Cancel> | +------------------------------------------------------+ +--------------------------------------------------------------------+ | Warning: You have entered an insecure passphrase. | | | | A passphrase should be at least 8 characters long. | | | | <Take this one anyway> <Enter new passphrase> | +--------------------------------------------------------------------+ +------------------------------------------------------+ | Please re-enter this passphrase | | | | Passphrase: *_______________________________________ | | | | <OK> <Cancel> | +------------------------------------------------------+ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 315A8D4CFA13F1C8 marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4BF7B898B3230B606DDA08C5315A8D4CFA13F1C8.rev' public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid mykey <[email protected]> root@ub-server:~# |
列出密钥:
root@ub-server:~# gpg --list-key gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /root/.gnupg/pubring.kbx ------------------------ pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid [ultimate] mykey <[email protected]> root@ub-server:~# |
6.4 创建存放安装包的目录和准备安装包。
因为apache网站默认根路径为/var/www/html/,为了不修改apache的配置文件,这里就直接在/var/www/html/目录下创建本地仓库的存储目录。
创建/var/www/html/repo目录,将预先的准备好的deb包复制到/var/www/html/repo目录下:
root@ub-server:~# mkdir /var/www/html/repo root@ub-server:~# cd /var/www/html/repo root@ub-server:/var/www/html/repo# |
预先的准备好的deb包如下:
root@ub-server:/var/www/html/repo# ll total 22380 drwxr-xr-x 2 root root 4096 Jun 18 13:53 ./ drwxr-xr-x 3 root root 4096 Jun 18 13:29 ../ -rw-r--r-- 1 root root 17530700 Apr 29 2021 ansible_2.10.7+merged+base+2.10.8+dfsg-1_all.deb -rw-r--r-- 1 root root 1887104 Jun 12 2021 ieee-data_20210605.1_all.deb -rw-r--r-- 1 root root 27236 Feb 28 2021 python3-argcomplete_1.8.1-1.5_all.deb -rw-r--r-- 1 root root 123058 Dec 15 2021 python3-dnspython_2.1.0-1ubuntu1_all.deb -rw-r--r-- 1 root root 21708 May 30 2020 python3-jmespath_0.10.0-1_all.deb -rw-r--r-- 1 root root 23012 Mar 17 2022 python3-kerberos_1.1.14-3.1build5_amd64.deb -rw-r--r-- 1 root root 1554184 Feb 11 2021 python3-libcloud_3.2.0-2_all.deb -rw-r--r-- 1 root root 14576 Apr 27 2020 python3-lockfile_1%3a0.12.2-2.2_all.deb -rw-r--r-- 1 root root 308658 Oct 18 2021 python3-netaddr_0.8.0-2_all.deb -rw-r--r-- 1 root root 20384 May 14 2020 python3-ntlm-auth_1.4.0-1_all.deb -rw-r--r-- 1 root root 30672 Nov 27 2021 python3-packaging_21.3-1_all.deb -rw-r--r-- 1 root root 1026726 Mar 25 2022 python3-pycryptodome_3.11.0+dfsg1-3build1_amd64.deb -rw-r--r-- 1 root root 11892 Oct 26 2019 python3-requests-kerberos_0.12.0-2_all.deb -rw-r--r-- 1 root root 6160 Jan 2 2021 python3-requests-ntlm_1.1.0-1.1_all.deb -rw-r--r-- 1 root root 37984 Dec 22 2020 python3-requests-toolbelt_0.9.1-1_all.deb -rw-r--r-- 1 root root 158910 Mar 17 2022 python3-selinux_3.3-1build2_amd64.deb -rw-r--r-- 1 root root 54722 Mar 17 2022 python3-simplejson_3.17.6-1build1_amd64.deb -rw-r--r-- 1 root root 21660 May 13 2018 python3-winrm_0.3.0-2_all.deb -rw-r--r-- 1 root root 12608 Apr 27 2020 python3-xmltodict_0.12.0-2_all.deb root@ub-server:/var/www/html/repo# |
6.5 在本地源目录,创建本地APT仓库所需元数据文件。
安装dpkg-dev软件包,才能为本地APT仓库创建软件包元数据。
root@ub-server:~# apt install -y dpkg-dev |
在本地软件源目录下生成Packages和Release文件,创建本地软件源的Package.gz元数据。
root@ub-server:~# cd /var/www/html/repo/ root@ub-server:/var/www/html/repo# apt-ftparchive packages . > Packages root@ub-server:/var/www/html/repo# apt-ftparchive release . > Release
root@ub-server:/var/www/html/repo# dpkg-scanpackages ./ | gzip -9c > Packages.gz dpkg-scanpackages: info: Wrote 19 entries to output Packages file. root@ub-server:/var/www/html/repo# |
6.6 导出公钥并使用apt-key命令加密
apt-key命令用于管理Debian Linux系统中的软件包密钥。每个发布的Debian软件包都是通过密钥认证的,apt-key命令用来管理Debian软件包密钥。
(1)、因为需要导出GPG生成的密钥,先列出密钥: root@ub-server:~# gpg --list-key gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /root/.gnupg/pubring.kbx ------------------------ pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid [ultimate] mykey <[email protected]> root@ub-server:~# (2)、导出公钥并使用apt-key命令加密 root@ub-server:~# cd /var/www/html/repo/ root@ub-server:/var/www/html/repo# gpg -a --export 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE | apt-key add - Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK root@ub-server:/var/www/html/repo# |
6.6 配置数字签名
ubuntu apt 对软件包索引,首先要求有InRelease文件,其次才去找Release、Release.gpg文件, 这情况下, 其实只需要创建InRelease文件(包含Release文件和明文签名)即可:
为本地源配置数字签名
root@ub-server:/var/www/html/repo# gpg --clearsign -o InRelease Release |
这里需要输入密码,输入生成GPG密钥时输入的密码:
root@ub-server:/var/www/html/repo# gpg -abs -o Release.gpg Release root@ub-server:/var/www/html/repo# |
6.7 导出密钥
6.7.1 导出公钥
使用格式: gpg -a -o public-file.key --export keyId #导出公钥keyId 到 文件 public-file.key中;
选项详解:
-a 为 --armor 的简写,表示密钥以ASCII的形式输出,默认以二进制的形式输出;
-o 为 --output 的简写,指定写入的文件;
root@ub-server:~# gpg -a -o public-file.key --export 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE |
导出的公钥,需在其他内网主机导入,供apt-get使用。
6.7.2 导出私钥
使用格式:
gpg -a -o private-file.key --export-secret-keys keyId #导出私钥 keyId 到文件 private-file.key中,导出的时候需要输入密钥密码;
其中,导出私钥需要输入保护私钥的密码;
root@ub-server:~# gpg -a -o private-file.key --export-secret-keys 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE |
6.8 配置其他内网主机使用服务器提供的源
先备份内网其他主机的apt源文件/etc/apt/source.list,并修改源,在如下主机修改:
root@ub-client:~# cp -p /etc/apt/sources.list /etc/apt/sources.list.new root@ub-client:~# vi /etc/apt/sources.list |
(1)、更新软件源:
root@ub-client:~# apt update Ign:1 http://192.168.20.128/repo InRelease Get:2 http://192.168.20.128/repo Release [1,204 B] Get:3 http://192.168.20.128/repo Release.gpg [488 B] Ign:3 http://192.168.20.128/repo Release.gpg Reading package lists... Done W: GPG error: http://192.168.20.128/repo Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64C5275D111B6254 E: The repository 'http://192.168.20.128/repo Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. root@ub-client:~# |
这里更新源报错 了,提示仓库没有签名。
(2)、这里需要在内网其他主机上导入服务器中导出的公钥,需要把服务器导出的公钥复制到内网其他主机,然后导入公钥。
服务器导出的公钥复制到内网其他主机
root@ub-server:~# scp public-file.key [email protected]:/root [email protected]'s password: public-file.key 100% 945 897.8KB/s 00:00 root@ub-server:~# |
(3)、导入公钥
root@ub-client:~# apt-key add public-file.key |
更新一下软件源:
root@ubuntn:/var/www/html/repo# apt update Ign:1 http://192.168.20.128/repo InRelease Get:2 http://192.168.20.128/repo Release [816 B] Get:3 http://192.168.20.128/repo Release.gpg [488 B] Get:4 http://192.168.20.128/repo Packages [88.6 kB] Fetched 89.9 kB in 0s (962 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. W: http://192.168.20.128/repo/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. root@ub-client:/var/www/html/repo# |
有个告警,但源也可以使用。
解决这个告警: |
|
W: http://192.168.20.128/repo/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION |
|
(1)找到警告相关源的key 使用 apt-key list 命令列出所有 keyring 的信息, 然后找出该 keyring 的 fingerprint, 具体方法是找关键字 root@ub-client:/etc/apt/trusted.gpg.d# apt-key list Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). /etc/apt/trusted.gpg -------------------- pub rsa3072 2023-06-19 [SC] 0AC2 A21E FD37 45B7 BB27 ADB9 2C81 6822 A080 5CCE uid [ unknown] mykey <[email protected]> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg ----------------------------------------------- pub rsa2048 2016-07-15 [SC] A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591 uid [ unknown] Zabbix LLC <[email protected]> sub rsa2048 2016-07-15 [E] root@ub-client:/etc/apt/trusted.gpg.d# (2). 导出相应key到指定目录 导出命令中只需要fingerprint的末尾 8 位, (这里假设有警告的key是A0805CCE),导出可以自定义名称, 只要保存在 /etc/apt/trusted.gpg.d 这个路径下即可
(3).修改有问题源的配置文件,关联key文件位置. 源配置文件在/etc/apt/目录下 root@ub-client:/etc/apt/trusted.gpg.d# cat /etc/apt/sources.list deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/ros.gpg] http://192.168.20.126/repo /
至此,问题解决,再次 apt update 不会出现那个警告了,如下:
root@ub-client:~# apt update Ign:1 http://192.168.20.126/repo InRelease Hit:2 http://192.168.20.126/repo Release Hit:4 Zabbix Official Repository jammy InRelease Hit:5 Zabbix Official Repository jammy InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. root@ub-client:~#
另外如果发现列表中某些key的状态是 [expired] 也可以用以下命令删除 $ sudo apt-key del A0805CCE |
6.9 下面测试安装软件:
root@ub-client:/var/www/html/repo# apt install -y ansible Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: ieee-data python3-argcomplete python3-dnspython python3-jmespath python3-kerberos python3-libcloud python3-lockfile python3-netaddr python3-ntlm-auth python3-packaging python3-pycryptodome python3-requests-kerberos python3-requests-ntlm python3-requests-toolbelt python3-selinux python3-simplejson python3-winrm python3-xmltodict Suggested packages: cowsay sshpass python3-sniffio python3-trio python-lockfile-doc ipython3 python-netaddr-docs The following NEW packages will be installed: ansible ieee-data python3-argcomplete python3-dnspython python3-jmespath python3-kerberos python3-libcloud python3-lockfile python3-netaddr python3-ntlm-auth python3-packaging python3-pycryptodome python3-requests-kerberos python3-requests-ntlm python3-requests-toolbelt python3-selinux python3-simplejson python3-winrm python3-xmltodict 0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded. Need to get 22.9 MB of archives. After this operation, 243 MB of additional disk space will be used. Get:1 http://192.168.20.128/repo python3-packaging 21.3-1 [30.7 kB] Get:2 http://192.168.20.128/repo python3-pycryptodome 3.11.0+dfsg1-3build1 [1,027 kB] Get:3 http://192.168.20.128/repo python3-dnspython 2.1.0-1ubuntu1 [123 kB] Get:4 http://192.168.20.128/repo ieee-data 20210605.1 [1,887 kB] Get:5 http://192.168.20.128/repo python3-netaddr 0.8.0-2 [309 kB] Get:6 http://192.168.20.128/repo ansible 2.10.7+merged+base+2.10.8+dfsg-1 [17.5 MB] Get:7 http://192.168.20.128/repo python3-argcomplete 1.8.1-1.5 [27.2 kB] Get:8 http://192.168.20.128/repo python3-jmespath 0.10.0-1 [21.7 kB] Get:9 http://192.168.20.128/repo python3-kerberos 1.1.14-3.1build5 [23.0 kB] Get:10 http://192.168.20.128/repo python3-lockfile 1:0.12.2-2.2 [14.6 kB] Get:11 http://192.168.20.128/repo python3-simplejson 3.17.6-1build1 [54.7 kB] Get:12 http://192.168.20.128/repo python3-libcloud 3.2.0-2 [1,554 kB] Get:13 http://192.168.20.128/repo python3-ntlm-auth 1.4.0-1 [20.4 kB] Get:14 http://192.168.20.128/repo python3-requests-kerberos 0.12.0-2 [11.9 kB] Get:15 http://192.168.20.128/repo python3-requests-ntlm 1.1.0-1.1 [6,160 B] Get:16 http://192.168.20.128/repo python3-requests-toolbelt 0.9.1-1 [38.0 kB] Get:17 http://192.168.20.128/repo python3-selinux 3.3-1build2 [159 kB] Get:18 http://192.168.20.128/repo python3-xmltodict 0.12.0-2 [12.6 kB] Get:19 http://192.168.20.128/repo python3-winrm 0.3.0-2 [21.7 kB] Fetched 22.9 MB in 0s (177 MB/s) Selecting previously unselected package python3-packaging. (Reading database ... 74588 files and directories currently installed.) Preparing to unpack .../00-python3-packaging_21.3-1_all.deb ... Unpacking python3-packaging (21.3-1) ... Selecting previously unselected package python3-pycryptodome. Preparing to unpack .../01-python3-pycryptodome_3.11.0+dfsg1-3build1_amd64.deb ... Unpacking python3-pycryptodome (3.11.0+dfsg1-3build1) ... Selecting previously unselected package python3-dnspython. Preparing to unpack .../02-python3-dnspython_2.1.0-1ubuntu1_all.deb ... Unpacking python3-dnspython (2.1.0-1ubuntu1) ... Selecting previously unselected package ieee-data. Preparing to unpack .../03-ieee-data_20210605.1_all.deb ... Unpacking ieee-data (20210605.1) ... Selecting previously unselected package python3-netaddr. Preparing to unpack .../04-python3-netaddr_0.8.0-2_all.deb ... Unpacking python3-netaddr (0.8.0-2) ... Selecting previously unselected package ansible. Preparing to unpack .../05-ansible_2.10.7+merged+base+2.10.8+dfsg-1_all.deb ... Unpacking ansible (2.10.7+merged+base+2.10.8+dfsg-1) ... Selecting previously unselected package python3-argcomplete. Preparing to unpack .../06-python3-argcomplete_1.8.1-1.5_all.deb ... Unpacking python3-argcomplete (1.8.1-1.5) ... Selecting previously unselected package python3-jmespath. Preparing to unpack .../07-python3-jmespath_0.10.0-1_all.deb ... Unpacking python3-jmespath (0.10.0-1) ... Selecting previously unselected package python3-kerberos. Preparing to unpack .../08-python3-kerberos_1.1.14-3.1build5_amd64.deb ... Unpacking python3-kerberos (1.1.14-3.1build5) ... Selecting previously unselected package python3-lockfile. Preparing to unpack .../09-python3-lockfile_1%3a0.12.2-2.2_all.deb ... Unpacking python3-lockfile (1:0.12.2-2.2) ... Selecting previously unselected package python3-simplejson. Preparing to unpack .../10-python3-simplejson_3.17.6-1build1_amd64.deb ... Unpacking python3-simplejson (3.17.6-1build1) ... Selecting previously unselected package python3-libcloud. Preparing to unpack .../11-python3-libcloud_3.2.0-2_all.deb ... Unpacking python3-libcloud (3.2.0-2) ... Selecting previously unselected package python3-ntlm-auth. Preparing to unpack .../12-python3-ntlm-auth_1.4.0-1_all.deb ... Unpacking python3-ntlm-auth (1.4.0-1) ... Selecting previously unselected package python3-requests-kerberos. Preparing to unpack .../13-python3-requests-kerberos_0.12.0-2_all.deb ... Unpacking python3-requests-kerberos (0.12.0-2) ... Selecting previously unselected package python3-requests-ntlm. Preparing to unpack .../14-python3-requests-ntlm_1.1.0-1.1_all.deb ... Unpacking python3-requests-ntlm (1.1.0-1.1) ... Selecting previously unselected package python3-requests-toolbelt. Preparing to unpack .../15-python3-requests-toolbelt_0.9.1-1_all.deb ... Unpacking python3-requests-toolbelt (0.9.1-1) ... Selecting previously unselected package python3-selinux. Preparing to unpack .../16-python3-selinux_3.3-1build2_amd64.deb ... Unpacking python3-selinux (3.3-1build2) ... Selecting previously unselected package python3-xmltodict. Preparing to unpack .../17-python3-xmltodict_0.12.0-2_all.deb ... Unpacking python3-xmltodict (0.12.0-2) ... Selecting previously unselected package python3-winrm. Preparing to unpack .../18-python3-winrm_0.3.0-2_all.deb ... Unpacking python3-winrm (0.3.0-2) ... Setting up python3-lockfile (1:0.12.2-2.2) ... Setting up python3-requests-toolbelt (0.9.1-1) ... Setting up python3-ntlm-auth (1.4.0-1) ... Setting up python3-pycryptodome (3.11.0+dfsg1-3build1) ... Setting up python3-kerberos (1.1.14-3.1build5) ... Setting up python3-simplejson (3.17.6-1build1) ... Setting up python3-xmltodict (0.12.0-2) ... Setting up python3-packaging (21.3-1) ... Setting up python3-jmespath (0.10.0-1) ... Setting up python3-requests-kerberos (0.12.0-2) ... Setting up ieee-data (20210605.1) ... Setting up python3-dnspython (2.1.0-1ubuntu1) ... Setting up python3-selinux (3.3-1build2) ... Setting up python3-argcomplete (1.8.1-1.5) ... Setting up python3-requests-ntlm (1.1.0-1.1) ... Setting up python3-libcloud (3.2.0-2) ... Setting up python3-netaddr (0.8.0-2) ... Setting up python3-winrm (0.3.0-2) ... Setting up ansible (2.10.7+merged+base+2.10.8+dfsg-1) ... Processing triggers for man-db (2.10.2-1) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@ub-client:/var/www/html/repo# |
可以看出安装软件是从自建服务器的源下载软件进行安装。