Package building and signing
I am building packages using makepkg for the raspberry pi 4 platform I changed the CFLAGS adding -march=armv8-a -mtune=cortex-a72 (makepkg.conf). I started to build all the packages that make up the "Building in a clean chroot" following the building in a claen chroot on the wiki. All when well. I will then build all the "base" package followed by all the packages I use on a "desktop" system. I would now like to make a custom repository for those packages and then have pacman install from there, eventually to remove the core extra etc repositories. I know how to create the custom repository (from the various wiki docs) using repo-add. I have a nginx web server on a remote raspberry pi and it will serve those packages from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository So my questions are as follows 1. How to get pacman to pull the packages from the custom repository first 2. I would like to sign the packages in the custom repository. I have looked at some of the information regarding signing packages(maybe missing some of them). It was totally confusing. I need guidance in the form of Step 1, step 2 etc. Is there such docs in existance? -- Hindi madali ang maging ako
Hi, On 5/3/25 15:35, Pocket wrote:
from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository
So my questions are as follows
1. How to get pacman to pull the packages from the custom repository first
pacman processes repos in the order they are listed in pacman.conf . If you put your own repo above [core] it it will be used before [core] and the other repos. [custom] is abit too generic, you should use a different name for the repo. Sorry, can't help with your 2nd question. LW
Pocket <pocket@columbus.rr.com> wrote:
I am building packages using makepkg for the raspberry pi 4 platform
I changed the CFLAGS adding -march=armv8-a -mtune=cortex-a72 (makepkg.conf).
I started to build all the packages that make up the "Building in a clean chroot" following the building in a claen chroot on the wiki. All when well. I will then build all the "base" package followed by all the packages I use on a "desktop" system.
I would now like to make a custom repository for those packages and then have pacman install from there, eventually to remove the core extra etc repositories.
I know how to create the custom repository (from the various wiki docs) using repo-add. I have a nginx web server on a remote raspberry pi and it will serve those packages
from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository
So my questions are as follows
1. How to get pacman to pull the packages from the custom repository first
2. I would like to sign the packages in the custom repository.
I have looked at some of the information regarding signing packages(maybe missing some of them). It was totally confusing. I need guidance in the form of Step 1, step 2 etc.
Is there such docs in existance?
It could be https://wiki.archlinux.org/title/Pacman/Package_signing#Adding_unofficial_ke... is what you are looking for. -- u34
-- Hindi madali ang maging ako
Sent from my iPhone
On May 4, 2025, at 9:21 AM, u34@net9.cf wrote:
Pocket <pocket@columbus.rr.com> wrote:
I am building packages using makepkg for the raspberry pi 4 platform
I changed the CFLAGS adding -march=armv8-a -mtune=cortex-a72 (makepkg.conf).
I started to build all the packages that make up the "Building in a clean chroot" following the building in a claen chroot on the wiki. All when well. I will then build all the "base" package followed by all the packages I use on a "desktop" system.
I would now like to make a custom repository for those packages and then have pacman install from there, eventually to remove the core extra etc repositories.
I know how to create the custom repository (from the various wiki docs) using repo-add. I have a nginx web server on a remote raspberry pi and it will serve those packages
from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository
So my questions are as follows
1. How to get pacman to pull the packages from the custom repository first
2. I would like to sign the packages in the custom repository.
I have looked at some of the information regarding signing packages(maybe missing some of them). It was totally confusing. I need guidance in the form of Step 1, step 2 etc.
Is there such docs in existance?
It could be https://wiki.archlinux.org/title/Pacman/Package_signing#Adding_unofficial_ke... is what you are looking for.
I tried that and I either messed it up or I didn’t understand it as it failed to work. Pacman rejected it and when I try to sign the package using repo-add it failed as well. I am looking for a doc that shows the complete steps ie Create a key Add it to the Pacman keyring Then the rest of the steps Ie which key do I add to the keyring public or secret? I need a little hand holding on this one
Pocket <pocket@columbus.rr.com> wrote:
Sent from my iPhone
On May 4, 2025, at 9:21 AM, u34@net9.cf wrote:
Pocket <pocket@columbus.rr.com> wrote:
I am building packages using makepkg for the raspberry pi 4 platform
I changed the CFLAGS adding -march=armv8-a -mtune=cortex-a72 (makepkg.conf).
I started to build all the packages that make up the "Building in a clean chroot" following the building in a claen chroot on the wiki. All when well. I will then build all the "base" package followed by all the packages I use on a "desktop" system.
I would now like to make a custom repository for those packages and then have pacman install from there, eventually to remove the core extra etc repositories.
I know how to create the custom repository (from the various wiki docs) using repo-add. I have a nginx web server on a remote raspberry pi and it will serve those packages
from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository
So my questions are as follows
1. How to get pacman to pull the packages from the custom repository first
2. I would like to sign the packages in the custom repository.
I have looked at some of the information regarding signing packages(maybe missing some of them). It was totally confusing. I need guidance in the form of Step 1, step 2 etc.
Is there such docs in existance?
It could be https://wiki.archlinux.org/title/Pacman/Package_signing#Adding_unofficial_ke... is what you are looking for.
I tried that and I either messed it up or I didn’t understand it as it failed to work. Pacman rejected it and when I try to sign the package using repo-add it failed as well.
I am looking for a doc that shows the complete steps ie Create a key Add it to the Pacman keyring Then the rest of the steps
Ie which key do I add to the keyring public or secret?
I need a little hand holding on this one
Other then asking if you are able to install an unsiged package you built yourself with pacman -U path/to/such/a/package I can not help you in the details. I do believe that using the script command to have a log for the shortest session you can make to demostrate the 1st error message you got can help both you and others find out the failure. The prevoius message in this thread seeme to me rather detailed. But again, having a log of the commands and their output can help if something fails. You can also try asking in the forum. Again, I do believe logs are helpful. -- u34
Sent from my iPhone
On May 4, 2025, at 11:50 AM, u34@net9.cf wrote:
Pocket <pocket@columbus.rr.com> wrote:
Sent from my iPhone
On May 4, 2025, at 9:21 AM, u34@net9.cf wrote:
Pocket <pocket@columbus.rr.com> wrote:
I am building packages using makepkg for the raspberry pi 4 platform
I changed the CFLAGS adding -march=armv8-a -mtune=cortex-a72 (makepkg.conf).
I started to build all the packages that make up the "Building in a clean chroot" following the building in a claen chroot on the wiki. All when well. I will then build all the "base" package followed by all the packages I use on a "desktop" system.
I would now like to make a custom repository for those packages and then have pacman install from there, eventually to remove the core extra etc repositories.
I know how to create the custom repository (from the various wiki docs) using repo-add. I have a nginx web server on a remote raspberry pi and it will serve those packages
from /etc/pacman.conf [custom] SigLevel = Optional TrustAll Server = http://www.home.arpa/Repository
So my questions are as follows
1. How to get pacman to pull the packages from the custom repository first
2. I would like to sign the packages in the custom repository.
I have looked at some of the information regarding signing packages(maybe missing some of them). It was totally confusing. I need guidance in the form of Step 1, step 2 etc.
Is there such docs in existance?
It could be https://wiki.archlinux.org/title/Pacman/Package_signing#Adding_unofficial_ke... is what you are looking for.
I tried that and I either messed it up or I didn’t understand it as it failed to work. Pacman rejected it and when I try to sign the package using repo-add it failed as well.
I am looking for a doc that shows the complete steps ie Create a key Add it to the Pacman keyring Then the rest of the steps
Ie which key do I add to the keyring public or secret?
I need a little hand holding on this one
Other then asking if you are able to install an unsiged package you built yourself with pacman -U path/to/such/a/package I can not help you in the details. I do believe that using the script command to have a log for the shortest session you can make to demostrate the 1st error message you got can help both you and others find out the failure. The prevoius message in this thread seeme to me rather detailed. But again, having a log of the commands and their output can help if something fails. You can also try asking in the forum. Again, I do believe logs are helpful.
Here is the steps gpg —full-gen-key gpg —export —armor —output public-key.asc pocket gpg —export-secret-keys —armor —output private-key.asc pocket The key id is pocket. For each key/attempt I imported each key into Pacman-key and signed with Pacman-key —lsign pocket Then I tried this. repo-add —sign —key pocket custom.db.tar.xz “file spec” It failed with the error invalid key/doesn’t know the key. I tried it with the public key, then I removed it from the key-chain and tried the private key. Both failed attempts failed I don’t have the exact error message as I am not at the raspberry pi at the moment
Am 04.05.25 um 19:13 schrieb Pocket:
gpg —full-gen-key gpg —export —armor —output public-key.asc pocket gpg —export-secret-keys —armor —output private-key.asc pocket The key id is pocket. For each key/attempt I imported each key into Pacman-key and signed with Pacman-key —lsign pocket Then I tried this. repo-add —sign —key pocket custom.db.tar.xz “file spec”
It failed with the error invalid key/doesn’t know the key.
makepkg and repo-add need the key in the callers keyring. They simply call gpg --detach-sign. Pacman's keyring is only for installing packages. HTH & BR
On 5/6/25 6:17 AM, Markus Schaaf wrote:
Am 04.05.25 um 19:13 schrieb Pocket:
gpg —full-gen-key gpg —export —armor —output public-key.asc pocket gpg —export-secret-keys —armor —output private-key.asc pocket The key id is pocket. For each key/attempt I imported each key into Pacman-key and signed with Pacman-key —lsign pocket Then I tried this. repo-add —sign —key pocket custom.db.tar.xz “file spec”
It failed with the error invalid key/doesn’t know the key.
makepkg and repo-add need the key in the callers keyring. They simply call gpg --detach-sign. Pacman's keyring is only for installing packages.
HTH & BR
I am going to remake my gpg key and start over. I will want to use the keying in signing packages and installation. My current project is to compile all the packages (optimizing them for -mcpu=cortex-a72) for all my systems workstations and servers for the rpi4 and rpi 5 desktop using the PKGBUILD from archlinux, not archlinuxarm as I currently do. I am about 1/3 of the way done. Still working at the package signing....... Thanks -- Hindi madali ang maging ako
On Sat, 2025-05-03 at 09:35 -0400, Pocket wrote:
So my questions are as follows
1.
Answered by pocket.
2. I would like to sign the packages in the custom repository.
I have built this into my package building / repo toolkit. While I have shared a lot of my tools in the aur I have not yet released these ones. At some point I probably will. That said. The idea is each repository has its own repo database files. True for official repos as well as self managed. They are the same. For example teh repo database files are found in <repo>/os/x86_64/*db* where the repo name is <repo> - be it "core" "core-testing" or "my- repo". The relevant files, using core-testing as example, (replace core- testing with whatever your repo name is that you want to sign) core-testing.db core-testing.db.tar.gz.old core-testing.db.sig core-testing.db.tar.gz.sig core-testing.db.tar.gz The "old" ones are just previous ones from repo-add/repo-remove. Ignore those. You probably use zstd compression for your own repo (I do) so all ".gz" would be ".zst". We have "core-testing.db" which is a symlink to core-testing.db.tar.gz so ignore this as well. The actual database file is core-testing.db.tar.gz and this is what must be signed - once its signed the signature file is core-testing.db.tar.gz.sig You need to have a symlink for the sig too (just like for the database file). core-testing.db.sig (symlink) -> core-testing.db.tar.gz.sig In a nutshell (adjust repo-name and comrpession extension as appropriate): (a) sign: <repo-name>db.tar.zst ==> <repo-name>db.tar.zst.sig (b) symlink: ln -s <repo-name>db.tar.zst.sig <repo-name>db.sig To sign the database file, use gpg (or sequoia sq if you prefer) with detached sig. Something like: gpg --detach-sign --no-armor -u <your-gpg-uid> Hope that helps. -- Gene
participants (5)
-
Genes Lists
-
Lone_Wolf
-
Markus Schaaf
-
Pocket
-
u34@net9.cf