Version 7 (modified by nerdling (Jeremy Lavergne), 13 years ago) (diff) |
---|
Using Your Own Archives
MacPorts verifies archives when archivemode
is enabled, making the signing archives a requirement. This page will serve as a guide showing how to do this.
Create Keys
The first step (also detailed in ${prefix}/etc/macports/pubkeys.conf) is to make keys to sign your archives.
To distribute archives of your own, you need a key pair generated like so:
cd ~/.ssh openssl genrsa -des3 -out privkey.pem 2048 openssl rsa -in privkey.pem -pubout -out pubkey.pem
Be sure to add this key to your ssh keyring or you'll get asked for the password each time it's used. Another alternative is it save it as an unencrypted key, like so:
openssl rsa -in privkey.pem -out privkey.pem.bare
Sign Packages
Then sign the archives like this:
openssl dgst -ripemd160 -sign privkey.pem -out archive.tbz2.rmd160 archive.tbz2
If you have lots of archives to sign, this can be done via a for loop in your shell. Here I use bash:
cd /archive/repository for i in */*tbz2; do openssl dgst -ripemd160 -sign ~/.ssh/privkey.pem.bare -out $i.rmd160 $i; done
Note that this saves the signatures along side the archives, by simply using .rmd160
as a suffix. This is what MacPorts expects.
Configure MacPorts
Now we need to add your key to MacPorts. This is done in two places:
- save copy of public key
- add path to this copy in pubkeys.conf
I used ${prefix}/etc/macports/snc.pub
for simplicity.
Try It
Your archives are now signed and MacPorts should be configured to recognize your signature. Try it out!
Maintenance of Archive Repository
Each day (really, every 30 minutes) new ports arrive and several are updated. Rather than rebuilding the whole tree you'll want to go after the ones with changes. This is easily achieved by the find
command.
cd ${prefix}/var/macports/sources/rsync.macports.org/release/ports sudo port selfupdate find . -name Portfile -mtime -1d | while read i do sudo port archive `dirname ${i#*/*/}` done
As you build archives, you'll eventually come across an instance where you're upgrading an older version. Keeping these outdated archives around might be less than ideal. We can wipe them out as we build the updates in the repository, checking the versions against what's current.
cd /archive/repository sudo port selfupdate for i in * do port -q info --index --version `basename $i` | while read j do ls "$i" | grep -v "$j" | while read k do sudo rm -v "$i/$k" done done done
This can also be accomplished using rsync
between a build box and a web server. After syncing you'd run a sign_archives
routine described above.
for i in ${prefix}/var/macports/software/* do port -q info --index --version `basename $i` | while read j do rsync -az --delete --filter "P *$j*" "$i" snc@tazamahal.com:/var/www/macports/ done done ssh snc@tazamahal.com sign_archives.sh