• Start
• Documentation
  • PostgreSQL
  • mnoGoSearch
  • Apache 2.4
  • FreeBSD handbook
  • FreeBSD Manual
  • FreeBSD Source
• Tools
• Search
• Protected Area

plain

FreeBSD manual

keyword 1 2 3 4 5 6 7 8 9 n l

download PDF document: pkg-repo.8.pdf

PKG-REPO(8) FreeBSD System Manager's Manual PKG-REPO(8)
NAME pkg repo - create a package repository catalogue
SYNOPSIS pkg repo [-lq] [-m meta-file] [-o output-dir] <repo-path> [signer-type:<keyfile> | signing_command: <the command>]
pkg repo [--{list-files,quiet}] [--meta-file meta-file] [--output-dir output-dir] <repo-path> [signer-type:<keyfile> | signing_command: <the command>]
DESCRIPTION pkg repo is used to create a catalogue of the available packages in a repository. pkg repo catalogues are necessary for sharing your package repository, and are intrinsic to the operation of pkg install or pkg upgrade.
The repository files created by pkg repo consist of a number of compressed tar archives stored typically at the top level of the repository filesystem. Of these, meta.txz must exist at the apex of the repository filesystem. This is a well-known name that is hard-wired into pkg(8).
meta.txz contains at least one file: meta which contains a key to the location and format of the other files comprising the catalogue information. Other files may have arbitrary names as defined in meta, but conventionally the following names are used.
digests.txz contains digests which lists the cryptographic checksums for each of the packages in the repository. This is downloaded when SIGNATURE_TYPE is set to FINGERPRINTS in the repository configuration.
filesite.txz contains filesite.yaml which is a database of all of the files present in all of the packages in the repository, containing filenames, file sizes and checksums as described in pkg-repository(5). Generating filesite.txz involves significant additional system resources and is not usually done.
packagesite.txz similarly contains at least one file packagesite.yaml, which lists selected metadata for each of the packages in the repository as described in pkg-repository(5). This is the key file containing the working data used by pkg(8) and includes the run-time dependencies for each package, plus shared library dependencies and similar data that are used by pkg(8) to solve package dependency problems.
In addition to the files already mentioned, the .txz archives may also contain cryptographic signatures. These will be produced when the internal signature mechanism of pkg repo is enabled.
Repository users download these files to their local machines, where they are processed into per-repository sqlite databases for fast lookup of available packages by programs such as pkg-install(8).
To create a package repository catalogue, specify the top-level directory beneath which all the packages are stored as repo-path. pkg repo will
Optionally, the repository catalogue may be cryptographically signed. This is enabled either by specifying the path to a private key as the keyfile argument or by using an external command. When a keyfile is being used, it may be prefixed by the signer type. Currently, this may be one of rsa, ecdsa, or eddsa. ecc is also accepted as an alias of eddsa. Keys for the rsa and ecdsa signers may be generated by OpenSSL or by pkg-key(8). Keys for the "eddsa" signer may only be generated by pkg-key(8).
If the key is used, a hash of the repository is signed using the provided key. The rsa signer will sign the SHA256 hash of the repository, while the ecdsa and eddsa signers will sign the BLAKE2 hash of the repository. The signature is added into the repository catalogue. The client side should use SIGNATURE_TYPE set to PUBKEY and PUBKEY set to a local path of the public key in its repository configuration file.
An external command can be useful to create a signing server to keep the private key separate from the repository. The external command is passed the SHA256 of the repository catalogue on its stdin. It should output the following format:
TYPE signer type here (rsa, ecdsa, eddsa) SIGNATURE signature data here CERT public key data here END
The TYPE field is optional if using rsa, to remain compatible with external signing commands historically in use. Note that the SIGNATURE field's data will may require an extra newline after it if the signature is output in a binary format. The CERT field may contain binary data, but pkg(8) will search the tail of it for the missing END if it runs together.
When using an external command, the client's pkg.conf must have SIGNATURE_TYPE set to FINGERPRINTS and FINGERPRINTS set to a directory having a trusted/myrepo containing a fingerprint style representation of the public key:
function: sha256 fingerprint: \"sha256_representation_of_the_public_key\"
See the EXAMPLES section and pkg.conf(5) for more information.
Signing the catalogue is strongly recommended.
OPTIONS The following options are supported by pkg repo:
-l, --list-files Generate list of all files in repo as filesite.txz archive.
-m meta-file, --meta-file meta-file Use the specified file as repository meta file instead of the default settings.
FILES See pkg.conf(5).
ENVIRONMENT PKG_REPO_HASH When set, rename packages with the short hash of contents appended to the filename.
PKG_REPO_SYMLINK When set, create a symlink between the short hash filename and the regular filename.
SEE ALSO pkg_create(3), pkg_printf(3), pkg_repos(3), pkg-keywords(5), pkg-lua-script(5), pkg-repository(5), pkg-script(5), pkg-triggers(5), pkg.conf(5), pkg(8), pkg-add(8), pkg-alias(8), pkg-annotate(8), pkg-audit(8), pkg-autoremove(8), pkg-check(8), pkg-clean(8), pkg-config(8), pkg-create(8), pkg-delete(8), pkg-fetch(8), pkg-info(8), pkg-install(8), pkg-lock(8), pkg-query(8), pkg-register(8), pkg-rquery(8), pkg-search(8), pkg-set(8), pkg-shell(8), pkg-shlib(8), pkg-ssh(8), pkg-stats(8), pkg-triggers(8), pkg-update(8), pkg-updating(8), pkg-upgrade(8), pkg-version(8), pkg-which(8)
EXAMPLES Create an RSA key pair:
% openssl genrsa -out repo.key 2048 % chmod 0400 repo.key % openssl rsa -in repo.key -out repo.pub -pubout
Create a repository and sign it with a local RSA key. The public key would be shared on all client servers with SIGNATURE_TYPE set to PUBKEY and its path set via PUBKEY setting in the repository configuration file:
pkg repo /usr/ports/packages repo.key
Create a repository and sign it with an external command. The client should set, via the repository configuration file, SIGNATURE_TYPE to FINGERPRINTS and FINGERPRINTS to a path containing a file with the SHA256 of the public key:
# On signing server: % cat > sign.sh << EOF #!/bin/sh read -t 2 sum [ -z "$sum" ] && exit 1 echo SIGNATURE echo -n $sum | /usr/bin/openssl dgst -sign repo.key -sha256 -binary echo echo CERT cat repo.pub echo END EOF
# On package server: % pkg repo /usr/ports/packages signing_command: ssh signing-server sign.sh # Generate fingerprint for sharing with clients % sh -c '( echo "function: sha256"; echo "fingerprint: \"$(sha256 -q repo.pub)\""; ) > fingerprint' # The 'fingerprint' file should be distributed to all clients.
# On clients with FINGERPRINTS: /usr/local/etc/pkg/fingerprints/myrepo: % openssl ecparam -genkey -name secp256k1 -out repo.key -outform DER % chmod 0400 repo.key % openssl ec -in repo.key -out repo.pub -pubout -outform DER
Prefixing the later repo.key reference with "ecdsa":
pkg repo /usr/ports/packages ecdsa:repo.key
The signing server example can be used mostly as-is, but with the following text placed before the SIGNATURE section in the signing server output:
TYPE ecdsa
For EdDSA instead, create an EdDSA key pair:
% pkg key --create -t eddsa repo.key > repo.pub
Create a repository and sign it with a local key. As with the RSA example above, the public key would be shared on all client servers with SIGNATURE_TYPE set to PUBKEY and its path set via the PUBKEY option in the repository configuration file:
pkg repo /usr/ports/packages eddsa:repo.key
A signing server for EdDSA could be constructed with the pkg-key(8) --sign option.
FreeBSD 14.2-RELEASE January 17, 2021 FreeBSD 14.2-RELEASE