Dealing with personal repositories with debian

debian, gpg  · 

Every not so often I have/want to create/update my own debian package and I can’t quite remember to do the whole thing especially if it involves not only building but also creating the right folders structure so that apt-get would work.

And earlier this week was no different, I was trying to resign ufw because my gpg key had expired.

This is basically a recipe for a bad experience and tools for debian/ubuntu seems to change every time, last time I used apt-ftp and it was working fine (aka creating me whole folders structure) but this time it refused to work properly, so I ended up creating a Docker file to pack things and hopefully not have to figure out one more time in 2 years or so.

Side note on GPG

gpg now support an agent that deals with the secret key so even if you have everything working gpg -k will not show the key, you will need still to import the key manually (after obviously exporting it). And a way to test that everything is working is to do echo "test" | gpg --clearsign if it works congrats everything is working with gpg.

Also it supports channeling connections over SSH so that if you do the builds on a different machine from where your keys are you can still make it work without needing to copy them over, just run something like ssh -R /path/on/the/remote/S.gpg-agent:/path/on/the/local/machine/S.gpg-agent.

The dockerfile

FROM debian:bookworm

RUN echo >/etc/apt/sources.list.d/debian.src.sources <<EOF
Types: deb-src
# http://snapshot.debian.org/archive/debian/20241223T000000Z
URIs: http://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF

RUN apt-get update && apt-get install dpkg-dev quilt vim apt-utils strace aptly python3-distutils -y
RUN apt-get build-dep ufw -y
RUN mkdir /build && cd /build && apt-get source ufw

COPY newchangelog /
COPY control /
COPY entrypoint.sh /
RUN chmod a+x entrypoint.sh

ENV VERSION=stable
ENV DISTRIBUTION=debian

CMD /entrypoint.sh

I have the following for Ubuntu:

FROM ubuntu:noble

RUN echo "deb-src http://us.archive.ubuntu.com/ubuntu/ noble main restricted" >>/etc/apt/sources.list
RUN apt-get update && apt-get install dpkg-dev quilt vim apt-utils strace aptly -y
RUN apt-get build-dep ufw -y
RUN mkdir /build && cd /build && apt-get source ufw

COPY newchangelog /
COPY control /
COPY entrypoint.sh /
RUN chmod a+x entrypoint.sh

ENV VERSION=noble
ENV DISTRIBUTION=ubuntu

This is mostly geared toward ufw tweaking it for other packages should be straightforward.

I also have this entrypoint script:

#!/bin/bash


# simplify things when debugging
cat>/root/.bash_profile <<EOF
set -o vi
alias ls='ls --color'
EOF

gpg --import /exchange/public-key.asc

cd /exchange
ls -1 *.patch >> /build/ufw-*/debian/patches/series
cp /exchange/*.patch /build/ufw-*/debian/patches

cd /build/ufw-*

# Create new changelog
cat debian/changelog >>/newchangelog
mv /newchangelog debian/changelog

pushd ..
cp ufw_0.36.*.orig.tar.gz ufw_0.36.3.orig.tar.gz
popd

cp /control debian/control
# Actually create one source only package because that's what ubuntu/ppa requires and one for binary
# for debian
if [ ${DISTRIBUTION:-meh} == "debian" ]; then
  DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage
else
  DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -S -sa
fi

if [ ${DISTRIBUTION:-meh} == "debian" ]; then
  mkdir -p /exchange/debs
  mv ../ufw_0.36.3* /exchange/debs
  aptly repo create -distribution=stable -component=main ufw-release
  aptly repo add ufw-release /exchange/debs
  aptly publish repo -architectures="amd64,source" ufw-release
  mkdir -p /exchange/repo
  cp -a /root/.aptly/public/* /exchange/repo
else
  mv ../ufw_0.36.3* /exchange/debs-${DISTRIBUTION}
fi

One more time very much geared toward my needs for UFW but there is good chunk in it that is re-usuable, for instance how to deal with aptly and make it work when you don’t have real binaries (ie. _all files).

Finally I run the image with something like:

 docker buildx build . -t debian:bookworm-custom &&  docker run -it -v /path_to_gpg/S.gpg-agent:/root/.gnupg/S.gpg-agent -v /root/exchange:/exchange debian:bookworm-custom

For a good measure I also added building Ubuntu packages, at the end in the exchange folder in the root user directory, in my docker VM, I have what I need:

And that’s all I need because I don’t run much Ubuntu for servers and also I upload my packages to my ppa so I don’t need to have my own webserver serving them.