Mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2024-09-01 14:56:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
568c3b12b9
gitea/docs/content/doc/usage/packages/arch.en-us.md

5.1 KiB
Raw Blame History

date title weight toc draft menu
2016-11-08T16:00:00+02:00 Title 10 true false
sidebar
parent name weight identifier
packages Arch 10 arch

Arch package registry

Gitea has arch package registry, which can act as a fully working arch linux mirror and connected directly in /etc/pacman.conf. Gitea automatically creates pacman database for packages in user space when new arch package is uploaded.

Table of Contents

{{< toc >}}

Requirements

You can install packages in any environment with pacman. Alternatively you can use pack which connects specified registries automatically and provides simple interface for package uploads and deletions.

Install packages

First, you need to update your pacman configuration, adding following lines:

[{owner}.{domain}]
Server = https://{domain}/api/packages/{owner}/arch/{distribution}/{architecture}

Then, you can run pacman sync command (with -y flag to load connected database file), to install your package.

pacman -Sy package

GPG Verification

Upload and remove operation are validated with GnuPG. First, you need to export and upload your public gpg key to SSH/GPG Keys in account settings. This works similarly with SSH key. You can export gpg key with command:

gpg --armor --export

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGSYoJUBCADSJ6v8Egst/gNJVC2206o8JqTzRBxTULKm/DH5J7AzrhJBxC2/
...

-----END PGP PUBLIC KEY BLOCK-----

Upload packages

  1. Ensure, that your package have been signed with your gpg key (more about arch package signing)[https://wiki.archlinux.org/title/DeveloperWiki:Package_signing]. You can do that by running following command:
gpg --verify package-ver-1-x86_64.pkg.tar.zst.sig
  1. Sign message metadata, which consists of package owner (namespace in gitea), package file name and send time. You can do that by running following command:
echo -n {owner}{package}$(date --rfc-3339=seconds | tr " " T) >> md
gpg --detach-sign md
  1. Decode message and metadata signatures to hex, by running following commands, save output somewhere.
xxd -p md.sig >> md.sig.hex
xxd -p package-1-1-x86_64.pkg.tar.zst.sig >> pkg.sig.hex
  1. Paste your parameters and push package with curl. Important, that time should be the same with metadata (signed md file), since this value is verified with GnuPG.
curl -X PUT \
  'https://{domain}/api/packages/{owner}/arch/push' \
  --header 'filename: {package}-1-1-x86_64.pkg.tar.zst' \
  --header 'email: dancheg97@fmnx.su' \
  --header 'distro: archlinux' \
  --header 'time: {metadata-time}' \
  --header 'pkgsign: {package-signature-hex}' \
  --header 'metasign: {metadata-signature-hex}' \
  --header 'Content-Type: application/octet-stream' \
  --data-binary '@/path/to/package/file/{package}-1-1-x86_64.pkg.tar.zst'

Full script for package upload:

owner=user
package=package-0.1.0-1-x86_64.pkg.tar.zst
email=user@example.com

time=`date --rfc-3339=seconds | tr " " T`
pkgsignhex=`xxd -p $package.sig | tr -d "\n"`

echo -n $owner$package$time >> mddata
gpg --detach-sign mddata
mdsignhex=`xxd -p mddata.sig | tr -d "\n"`

curl -X PUT \
  http://{domain}/api/packages/$owner/arch/push \
  --header "filename: $package" \
  --header "email: $email" \
  --header "time: $time" \
  --header "distro: archlinux" \
  --header "metasign: $mdsignhex" \
  --header "pkgsign: $pkgsignhex" \
  --header 'Content-Type: application/octet-stream' \
  --data-binary @$package

Alternatively, you can install pack and execute push command. Pack is automatically handling all gpg/http related operations:

pack -P {domain}/{owner}/{package}

Delete packages

  1. Prepare signature for delete message.
echo -n {owner}{package}$(date --rfc-3339=seconds | tr " " T) >> md
gpg --detach-sign md
  1. Send delete message with curl. Time should be the same with saved in md file.
curl -X DELETE \
  http://localhost:3000/api/packages/{user}/arch/remove \
  --header "username: {user}" \
  --header "email: user@email.com" \
  --header "target: package" \
  --header "time: {rmtime}" \
  --header "version: {version-release}" \
  --header 'Content-Type: application/octet-stream' \
  --data-binary @md.sig

Full script for package deletion:

owner=user
package=package
version=0.1.0-1
email=user@example.com
arch=x86_64
time=`date --rfc-3339=seconds | tr " " T`

sudo rm -rf md md.sig
echo -n $owner$package$time >> md
gpg --detach-sign md

curl -X DELETE \
  http://{domain}/api/packages/$owner/arch/remove \
  --header "username: $owner" \
  --header "email: $email" \
  --header "target: $package" \
  --header "time: $time" \
  --header "version: $version" \
  --header 'Content-Type: application/octet-stream' \
  --data-binary @md.sig

Alternatively, you can use pack to execute remote delete operations:

pack -R {domain}/{owner}/{package}@{version-release}