Debian feed instructions are incorrect

hwittenborn

The Debian feed client configuration currently is shown as follows:

Client Configuration

In order to actually install packages from ProGet, each client must perform the following steps:

1. Add the signing key
To add the key to apt, run the following commands:

wget -O "deb.gpg" http://{proget-server}/debian-feeds/{feed-name}.pub && sudo apt-key add "{feed-name}.gpg"

echo "deb http://{proget-server}/ {feed-name} {component-name}" | sudo tee /etc/apt/sources.list.d/{proget-deb}.list

Only the first command is used to add the key - the second command adds the repository to the system.

It should read something along the lines of this (kept the info about the two commands in one line - didn't seem to flow well with it on one command each):

1. Add the signing key and repository information
To add the repository information and signing key to your system, run the following commands:

wget -O "deb.gpg" http://{proget-server}/debian-feeds/{feed-name}.pub && sudo apt-key add "{feed-name}.gpg"

echo "deb http://{proget-server}/ {feed-name} {component-name}" | sudo tee /etc/apt/sources.list.d/{proget-deb}.list

...
2. Update apt
In order to actually install packages from a ProGet feed, the package cache must be updated by running:

sudo apt update

atripp

Thanks for letting us know @hwittenborn! That wasn't very clear that it was two separate commands....

I updated the docs to hopefully be clearer, and break out these into three steps.

hwittenborn

Thanks!

On a side note, it looks like the wget command for the key saves the file to deb.gpg, but the add-apt command uses {feed-name}.gpg. If I'm not mistaken, add-apt should read from deb.gpg then, right?

I'm also seeing this being used, which prints to stdout, pipes to the apt-key command, and then tells apt-key to read from stdin, thus avoiding the need to write to a file at all:

wget -qO http://{proget-server}/debian-feeds/{feed-name}.pub | sudo apt-key add -

If it can influence any changes in the future, there's also this note in the manual for apt-key:

Note: Instead of using this command a keyring should be placed
           directly in the /etc/apt/trusted.gpg.d/ directory with a
           descriptive name and either "gpg" or "asc" as file extension.

If you were to go that route, the file would probably be placed like so (ideally with the .asc extension, as ProGet's keys are ASCII-armored):

/etc/apt/trusted.gpg.d/{feed-name}.asc

atripp

Great, thanks @hwittenborn -- where's pull requests for our docs when we need it ;)

I'm not familiar enough with Linux or Debian to understand or make the second changes you suggested (I'll leave it to @rhessinger), but I replaced the wget command with yours, which avoids creating that file.

Cheers!

hwittenborn

Just noticing it now - it looks like I forgot a hyphen in the wget command right before the URL. It should look like this:

wget -qO - http://{proget-server}/debian-feeds/{feed-name}.pub | sudo apt-key add -

The previous command returns an error saying a URL wasn't specified, as I'm pretty sure wget is interpreting http://{proget-server}/debian-feeds/{feed-name}.pub as the output file.

Also - were you saying there was a place to submit PRs for stuff like this?

rhessinger

Hi @hwittenborn,

I recently ran into similar problems in the latest version of apt on Ubuntu. This didn't actually seem to be an issue in the older versions of apt. I determined that naming is very important when using Debian and this is how I was able to get this to work:

wget -O "{feed-name}.gpg" http://{proget-server}/debian-feeds/{feed-name}.pub && sudo apt-key add "{feed-name}.gpg"
echo "deb http://{proget-server}/ {feed-name} {component-name}" | sudo tee /etc/apt/sources.list.d/{feed-name}.list

Basically, I had to add download the pub as a {feed-name}.gpg then add that key to apt. Then when registering it in the sources.list.d I had to name it {feed-name}.list. In my experience, if they are not all named the same way, when you try to run sudo apt update you will get a bunch of warnings and the packages will never actually show up as available to install.

I'm not sure if this is the same thing you were seeing, but I was waiting on a couple of customers to confirm that running the commands this way it all worked before updating the documentation.

My guess is that using wget -qO - http://{proget-server}/debian-feeds/{feed-name}.pub | sudo apt-key add -, it added the key with the name of {feed-name}.gpg or whatever extensions apt converts it to. When you ran echo "deb http://{proget-server}/ {feed-name} {component-name}" | sudo tee /etc/apt/sources.list.d/{proget-deb}.list what did your use of {proget-deb}.list? Was it your feed name?

Thanks,
Rich

hwittenborn

Hi!

determined that naming is very important when using Debian and this is how I was able to get this to work:
wget -O "{feed-name}.gpg" http://{proget-server}/debian-feeds/{feed-name}.pub && sudo apt-key add "{feed-name}.gpg"

Are you saying the file fails to get added if you save it under the filename {feed-name}.pub?

My guess is that using wget -qO - http://{proget-server}/debian-feeds/{feed-name}.pub | sudo apt-key add -, it added the key with the name of {feed-name}.gpg or whatever extensions apt converts it to.

This adds the key in the ASCII-formatted version (which is what ProGet is using), which is just a base64-encoded version of a binary GPG key.

When using pipes (the | symbol in the above command), the filename doesn't get sent to the apt-key command, only the output of the previous command does, here being the content of the remote file wget downloaded.

apt-key supports ASCII-formatted keys though (again, which ProGet is using), so it has no problem adding it.

I imagine GPG, which APT uses for keys, is handling checking or converting the content of the key when necessary.

When you ran echo "deb http://{proget-server}/ {feed-name} {component-name}" | sudo tee /etc/apt/sources.list.d/{proget-deb}.list what did your use of {proget-deb}.list? Was it your feed name?

Yep, that just saves to the feed name.

In the tee command, it should read sudo tee /etc/apt/sources.list.d/{feed-name}.list though.

More specifically, it'll create a file at /etc/apt/sources.list.d/{feed-name}.list that contains deb http://{proget-server}/ {feed-name} {component-name}.

Hope that helps! Let me know if you need any clarification.

rhessinger

Hi @hwittenborn,

Thanks for the extra information. It is very much appreciated!

Are you saying the file fails to get added if you save it under the filename {feed-name}.pub?

I actually used it as a gpg file extension, but honestly, your solution much better. The file extension doesn't actually matter that much. Once it is added using apt-key, it just extract to contents and stores them in their keyring. You can see this by running sudo apt-key list.

I was more stating that in order for it to work for me on Ubuntu 20.04, I had to have everything named as the lowercase feed name in order for it to work for me. Although, I'm not sure if the lower case part matters. For example, for a feed name defaultdebian, I ran this:

wget -qO - http://proget.localhost/debian-feeds/defaultdebian.pub | sudo apt-key add -
echo "deb http://proget.localhost/ defaultdebian main" | sudo tee /etc/apt/sources.list.d/defaultdebian.list

sudo apt update

As a test I changed echo "deb http://proget.localhost/ defaultdebian main" | sudo tee /etc/apt/sources.list.d/defaultdebian.list to be echo "deb http://proget.localhost/ defaultdebian main" | sudo tee /etc/apt/sources.list.d/proget-defaultdebian.list and that actually wouldn't work for me. This caused a bunch of warnings when I ran sudo apt update. For some reason this only mattered in newer versions of apt though.

All in all, I will update the documentation to correct your command (adding the missing '-' ) and to include the updates to the naming. Hopefully, this will be clearer going forward for other users.

Thanks for all of your help!

Thanks,
Rich