A few items here assume zsh as shell (globs and expansion modifiers, print -l).
Required installation order:
Previously recorded:
gmp nettle gnutls npth libgpg-error libgcrypt libksba libassuan ( pinentry , gnupg )
Checking configure lines from past installs:
gmp -> nettle
nettle -> gnutls
gnutls -> gnupg
npth -> gnupg
libgpg-error -> libgcrypt libksba libassuan pinentry gnupg
libgcrypt -> gnupg
libksba -> gnupg
libassuan -> pinentry gnupg
pinentry -> gnupg
curl --remote-name-all https://versions.gnupg.org/swdb.lst https://versions.gnupg.org/swdb.lst.sig
gpg --verify swdb.lst.sig
gpg: assuming signed data in 'swdb.lst'
gpg: Signature made Wed Mar 1 13:34:47 2017 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
( but need to have a clean script to audit those )
gpg --fast-list-mode --with-colons --list-keys | grep -c '^pub:'
4953
(impacts --enable-key-cache=)
apt-get install debhelper dh-autoreconf file gettext \
libbz2-dev libcurl4-gnutls-dev libldap2-dev libreadline-dev libusb-dev libz-dev \
libsqlite3-dev libncurses5-dev lzip
Installs here, March 2017
Several freshly downloaded for gnupg 2.1.19; a few unchanged from previous installs, previously verified.
for F in *.sig; gpg --verify $F
gpg: assuming signed data in 'gmp-6.1.2.tar.xz'
gpg: Signature made Sun Dec 18 15:18:43 2016 EST
gpg: using RSA key 0xF3599FF828C67298
gpg: Good signature from "Niels Möller <[email protected]>" [full]
gpg: assuming signed data in 'gnupg-2.1.19.tar.bz2'
gpg: Signature made Wed Mar 1 12:48:44 2017 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: assuming signed data in 'gnutls-3.4.17.tar.xz'
gpg: Signature made Thu Dec 8 01:53:44 2016 EST
gpg: using RSA key 0x9D5EAAF69013B842
gpg: Good signature from "Nikos Mavrogiannopoulos <[email protected]>" [full]
gpg: aka "Nikos Mavrogiannopoulos <[email protected]>" [full]
gpg: aka "Nikos Mavrogiannopoulos <[email protected]>" [marginal]
gpg: assuming signed data in 'libgpg-error-1.27.tar.gz'
gpg: Signature made Tue Feb 28 09:18:01 2017 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: assuming signed data in 'nettle-3.3.tar.gz'
gpg: Signature made Sat Oct 1 03:33:57 2016 EDT
gpg: using RSA key 0xF3599FF828C67298
gpg: Good signature from "Niels Möller <[email protected]>" [full]
gpg: assuming signed data in 'npth-1.3.tar.bz2'
gpg: Signature made Tue Nov 22 05:16:41 2016 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: assuming signed data in 'pinentry-1.0.0.tar.bz2'
gpg: Signature made Tue Nov 22 03:07:57 2016 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: assuming signed data in 'swdb.lst'
gpg: Signature made Wed Mar 1 13:34:47 2017 EST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
root@workbench#
cd /opt
mv gnupg old.gnupg
mkdir -v gnupg ; cd gnupg
mkdir -v bin include lib libexec sbin share share/info share/man share/man/man{1,3,7,8}
tmp_install() {
d="$(mktemp -dt pkgbuild.XXXXXXXXXX)"
make install DESTDIR="$d"
echo fpm > .rbenv-gemsets
}
fpm_pt() {
rbenv exec fpm -s dir -t deb -m [email protected] \
-p "$HOME/NAME_FULLVERSION_ARCH.EXTENSION" -C "$d" \
-x opt/gnupg/share/info/dir \
"$@"
}tar xf tarballs/N/gmp-6.1.2.tar.xz
cd gmp-6.1.2
./configure --prefix=/opt/gnupg
tmp_install
fpm_pt -n optaux_gmp -v 6.1.2-pdp1 opt
root@workbench# → dpkg -i ~pdp/optaux-gmp_6.1.2-pdp1_amd64.deb
tar xf tarballs/N/nettle-3.3.tar.gz
cd nettle-3.3
./configure --prefix=/opt/gnupg --with-lib-path=/opt/gnupg/lib --with-include-path=/opt/gnupg/include
tmp_install
fpm_pt -n optaux_nettle -v 3.3-pdp1 -d optaux_gmp opt
root@workbench# → dpkg -i ~pdp/optaux-nettle_3.3-pdp1_amd64.deb
tar xf tarballs/N/gnutls-3.4.17.tar.xz
cd gnutls-3.4.17
PKG_CONFIG_PATH=/opt/gnupg/lib/pkgconfig \
GMP_CFLAGS=-I/opt/gnupg/include GMP_LIBS=-L/opt/gnupg/lib \
LDFLAGS='-L/opt/gnupg/lib -Wl,-R/opt/gnupg/lib' \
./configure --prefix=/opt/gnupg --disable-nls --with-included-libtasn1 --without-p11-kit
tmp_install
fpm_pt -n optaux_gnutls -v 3.4.17-pdp1 -d optaux_nettle opt
root@workbench# → dpkg -i ~pdp/optaux-gnutls_3.4.17-pdp1_amd64.deb
dpkg -L optaux-gnutls | less
ldd /opt/gnupg/bin/gnutls-cli
readelf -d /opt/gnupg/bin/gnutls-cli | fgrep RPATH
readelf -d /opt/gnupg/lib/libgnutls.so | fgrep RPATH
(If need to fix RPATH, use patchelf --set-rpath /opt/gnupg/lib /path/to/elf/to/fix )
tar xf tarballs/N/npth-1.3.tar.bz2
cd npth-1.3
./configure --prefix=/opt/gnupg --enable-static
tmp_install
fpm_pt -n optaux_npth -v 1.3-pdp1 opt
root@workbench# → dpkg -i ~pdp/optaux-npth_1.3-pdp1_amd64.deb
tar xf tarballs/N/libgpg-error-1.27.tar.gz
cd libgpg-error-1.27
./configure --prefix=/opt/gnupg --enable-static --disable-nls
tmp_install
fpm_pt -n optaux_libgpg-error -v 1.27-pdp1 opt
root@workbench# → dpkg -i ~pdp/optaux-libgpg-error_1.27-pdp1_amd64.deb
Reinstall/bump for dep
(Might strictly-speaking need RPATH stamping for this too ...)
tar xf tarballs/libgcrypt-1.7.6.tar.bz2
cd libgcrypt-1.7.6
./configure --prefix=/opt/gnupg --enable-static --with-libgpg-error-prefix=/opt/gnupg
tmp_install
fpm_pt -n optaux_libgcrypt -v 1.7.6-pdp2 -d optaux_libgpg-error opt
root@workbench# → dpkg -i ~pdp/optaux-libgcrypt_1.7.6-pdp2_amd64.deb
Reinstall/bump for dep
tar xf tarballs/libksba-1.3.5.tar.bz2
cd libksba-1.3.5
LDFLAGS='-L/opt/gnupg/lib -Wl,-R/opt/gnupg/lib' \
./configure --prefix=/opt/gnupg --enable-static --with-libgpg-error-prefix=/opt/gnupg
tmp_install
fpm_pt -n optaux_libksba -v 1.3.5-pdp2 -d optaux_libgpg-error opt
root@workbench# → dpkg -i ~pdp/optaux-libksba_1.3.5-pdp2_amd64.deb
Reinstall/bump for dep
tar xf tarballs/libassuan-2.4.3.tar.bz2
cd libassuan-2.4.3
LDFLAGS='-L/opt/gnupg/lib -Wl,-R/opt/gnupg/lib' \
./configure --prefix=/opt/gnupg --enable-static --with-libgpg-error-prefix=/opt/gnupg
tmp_install
fpm_pt -n optaux_libassuan -v 2.4.3-pdp2 -d optaux_libgpg-error opt
root@workbench# → dpkg -i ~pdp/optaux-libassuan_2.4.3-pdp2_amd64.deb
Definitely need RPATH stamping here, else pinentry-curses will fail to start.
tar xf tarballs/N/pinentry-1.0.0.tar.bz2
cd pinentry-1.0.0
LDFLAGS='-L/opt/gnupg/lib -Wl,-R/opt/gnupg/lib' \
./configure --prefix=/opt/gnupg --enable-static \
--with-libgpg-error-prefix=/opt/gnupg --with-libassuan-prefix=/opt/gnupg \
--enable-pinentry-curses --enable-pinentry-tty
tmp_install
fpm_pt -n optaux_pinentry -v 1.0.0-pdp1 -d optaux_libgpg-error -d optaux_libassuan opt
root@workbench# → dpkg -i ~pdp/optaux-pinentry_1.0.0-pdp1_amd64.deb
Note that pkg-config picks up the gnutls so still need that as a dependency,
and the --with-pinentry-pgm package needs to be a dependency.
tar xf tarballs/N/gnupg-2.1.19.tar.bz2
cd gnupg-2.1.19
PKG_CONFIG_PATH=/opt/gnupg/lib/pkgconfig \
LDFLAGS='-L/opt/gnupg/lib -Wl,-R/opt/gnupg/lib' \
./configure --prefix=/opt/gnupg \
--disable-nls --disable-ldap --enable-noexecstack --enable-key-cache=16384 --enable-wks-tools \
--with-pinentry-pgm=/opt/gnupg/bin/pinentry-curses \
--with-libgpg-error-prefix=/opt/gnupg --with-libassuan-prefix=/opt/gnupg \
--with-libgcrypt-prefix=/opt/gnupg --with-ksba-prefix=/opt/gnupg --with-npth-prefix=/opt/gnupg
tmp_install
for F in $d/opt/gnupg/bin/*(*.); do ln -sv $F:t ${F%2}2.1 ; done
ln -sv gpg2 $d/opt/gnupg/bin/gpg
chrpath -l $d/opt/gnupg/bin/gpg2
fpm_pt -n optaux_gnupg -v 2.1.19-pdp1 \
-d optaux_libgpg-error -d optaux_libassuan -d optaux_libgcrypt -d optaux_libksba \
-d optaux-npth -d optaux_gnutls -d optaux-pinentry \
opt
root@workbench# → dpkg -i ~pdp/optaux-gnupg_2.1.19-pdp1_amd64.deb
Get files onto the aptly apt-mirror box:
scp -3 workbench:optaux\* fuji@orchard:IN-packages/gnupg/./
As fuji@orchard:
cd ~/IN-packages/gnupg
aptly repo add spodhuis optaux-*
snap=spodhuis-$(date +%Y%m%d)
aptly snapshot create ${snap:?} from repo spodhuis
eval $(gpg-agent --daemon)
aptly publish -gpg-key 0x8AC8EE39F0C68907 \
-architectures amd64,i386,armel,armhf,arm64 \
switch trusty spodhuis/ubuntu/trusty ${snap:?}
gpgconf --kill gpg-agent
Just apt update/upgrade for most places.
gpgconf --kill dirmngr ; gpgconf --kill gpg-agent
aptly is a golang apt repo maintenance tool.
fpm is written in Ruby.
Some historical notes (versions likely changed since these):
root@workbench → apt-get install ruby-dev gcc make
cd
git clone [email protected]:sstephenson/rbenv.git .rbenv
git clone https://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
git clone https://github.com/jf/rbenv-gemset.git ~/.rbenv/plugins/rbenv-gemset
rbenv install -l
rbenv install 2.3.1
rbenv global 2.3.1
mkdir -p ~/lib/envs/fpm && cd ~/lib/envs/fpm
echo fpm > .rbenv-gemsets
rbenv exec gem install bundler
print -l 'source "https://rubygems.org"' '' 'gem "fpm"' > Gemfile
rbenv exec bundle install
rbenv exec fpm --help
Build:
go get -u github.com/mattn/gom
go get -d github.com/smira/aptly # mistake, use `gom` for dependencies instead
cd go/src/github.com/smira/aptly
gom -production install # fetches/install dependencies under `./vendor`
gom build -o ${GOPATH%%:*}/bin/aptly
Copy binary to fuji@orchard:bin/./
Created a PGP key on machine with a hardware entropy device,
then copied to orchard. 0x8AC8EE39F0C68907
Created all the glue in locations and nginx etc; note that "publish" requires the storage/publish location to not involve cross-device symlinks.
aptly repo create -comment "spodhuis/pennock-tech apt repo" spodhuis
aptly snapshot create empty-snapshot empty
aptly publish -gpg-key 0x8AC8EE39F0C68907 \
-architectures amd64,i386,armel,armhf,arm64 \
snapshot empty-snapshot spodhuis
- Initially
publish ... snapshot, thereafterpublish ... switch - See what we have:
aptly repo show -with-packages spodhuis
apt-get install apt-transport-https
echo 'deb https://apt.orchard.lan/spodhuis/ubuntu/trusty trusty main' > /etc/apt/sources.list.d/spodhuis.list
echo > /etc/apt/apt.conf.d/71noproxy 'Acquire::https::Proxy::apt.orchard.lan "DIRECT";'