Mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2024-09-01 14:56:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
568c3b12b9
gitea/docs/content/doc/usage/packages/arch.en-us.md

181 lines
5.1 KiB
Markdown
Raw Blame History

---
date: "2016-11-08T16:00:00+02:00"
title: "Title"
weight: 10
toc: true
draft: false
menu:
sidebar:
parent: "packages"
name: "Arch"
weight: 10
identifier: "arch"
---
# Arch package registry
Gitea has arch package registry, which can act as a fully working [arch linux mirror](https://wiki.archlinux.org/title/mirrors) and connected directly in `/etc/pacman.conf`. Gitea automatically creates pacman database for packages in user space when new arch package is uploaded.
**Table of Contents**
{{< toc >}}
## Requirements
You can install packages in any environment with [pacman](https://wiki.archlinux.org/title/Pacman). Alternatively you can use [pack](https://fmnx.su/core/pack) which connects specified registries automatically and provides simple interface for package uploads and deletions.
## Install packages
First, you need to update your pacman configuration, adding following lines:
```conf
[{owner}.{domain}]
Server = https://{domain}/api/packages/{owner}/arch/{distribution}/{architecture}
```
Then, you can run pacman sync command (with -y flag to load connected database file), to install your package.
```sh
pacman -Sy package
```
## GPG Verification
Upload and remove operation are validated with [GnuPG](https://gnupg.org/). First, you need to export and upload your public gpg key to `SSH/GPG Keys` in account settings. This works similarly with SSH key. You can export gpg key with command:
```sh
gpg --armor --export
```
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGSYoJUBCADSJ6v8Egst/gNJVC2206o8JqTzRBxTULKm/DH5J7AzrhJBxC2/
...
-----END PGP PUBLIC KEY BLOCK-----
```
## Upload packages
1. Ensure, that your package have been signed with your gpg key (more about arch package signing)[https://wiki.archlinux.org/title/DeveloperWiki:Package_signing]. You can do that by running following command:
```sh
gpg --verify package-ver-1-x86_64.pkg.tar.zst.sig
```
2. Sign message metadata, which consists of package owner (namespace in gitea), package file name and send time. You can do that by running following command:
```sh
echo -n {owner}{package}$(date --rfc-3339=seconds | tr " " T) >> md
gpg --detach-sign md
```
3. Decode message and metadata signatures to hex, by running following commands, save output somewhere.
```sh
xxd -p md.sig >> md.sig.hex
xxd -p package-1-1-x86_64.pkg.tar.zst.sig >> pkg.sig.hex
```
4. Paste your parameters and push package with [curl](https://curl.se/). Important, that time should be the same with metadata (signed md file), since this value is verified with GnuPG.
```sh
curl -X PUT \
'https://{domain}/api/packages/{owner}/arch/push' \
--header 'filename: {package}-1-1-x86_64.pkg.tar.zst' \
--header 'email: dancheg97@fmnx.su' \
--header 'distro: archlinux' \
--header 'time: {metadata-time}' \
--header 'pkgsign: {package-signature-hex}' \
--header 'metasign: {metadata-signature-hex}' \
--header 'Content-Type: application/octet-stream' \
--data-binary '@/path/to/package/file/{package}-1-1-x86_64.pkg.tar.zst'
```
Full script for package upload:
```sh
owner=user
package=package-0.1.0-1-x86_64.pkg.tar.zst
email=user@example.com
time=`date --rfc-3339=seconds | tr " " T`
pkgsignhex=`xxd -p $package.sig | tr -d "\n"`
echo -n $owner$package$time >> mddata
gpg --detach-sign mddata
mdsignhex=`xxd -p mddata.sig | tr -d "\n"`
curl -X PUT \
http://{domain}/api/packages/$owner/arch/push \
--header "filename: $package" \
--header "email: $email" \
--header "time: $time" \
--header "distro: archlinux" \
--header "metasign: $mdsignhex" \
--header "pkgsign: $pkgsignhex" \
--header 'Content-Type: application/octet-stream' \
--data-binary @$package
```
Alternatively, you can install [pack](https://fmnx.su/core/pack) and execute push command. Pack is automatically handling all gpg/http related operations:
```sh
pack -P {domain}/{owner}/{package}
```
## Delete packages
1. Prepare signature for delete message.
```sh
echo -n {owner}{package}$(date --rfc-3339=seconds | tr " " T) >> md
gpg --detach-sign md
```
2. Send delete message with [curl](https://curl.se/). Time should be the same with saved in `md` file.
```sh
curl -X DELETE \
http://localhost:3000/api/packages/{user}/arch/remove \
--header "username: {user}" \
--header "email: user@email.com" \
--header "target: package" \
--header "time: {rmtime}" \
--header "version: {version-release}" \
--header 'Content-Type: application/octet-stream' \
--data-binary @md.sig
```
Full script for package deletion:
```sh
owner=user
package=package
version=0.1.0-1
email=user@example.com
arch=x86_64
time=`date --rfc-3339=seconds | tr " " T`
sudo rm -rf md md.sig
echo -n $owner$package$time >> md
gpg --detach-sign md
curl -X DELETE \
http://{domain}/api/packages/$owner/arch/remove \
--header "username: $owner" \
--header "email: $email" \
--header "target: $package" \
--header "time: $time" \
--header "version: $version" \
--header 'Content-Type: application/octet-stream' \
--data-binary @md.sig
```
Alternatively, you can use [pack](https://fmnx.su/core/pack) to execute remote delete operations:
```sh
pack -R {domain}/{owner}/{package}@{version-release}
```
Reference in New Issue View Git Blame Copy Permalink