Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PKG-REPO(8)		FreeBSD	System Manager's Manual		   PKG-REPO(8)

     pkg repo -- create	a package repository catalogue

     pkg repo [-lqL] [-o output-dir] [-m meta-file] <repo-path>	[<rsa-key> |
	 signing_command: <the command>]

     pkg repo [--{list-files,quiet,legacy}] [--output-dir output-dir]
	 [--meta-file meta-file] <repo-path> [<rsa-key>	| signing_command:
	 <the command>]

     pkg repo is used for creating a catalogue of the available	packages in a
     repository.  pkg repo catalogues are necessary for	sharing	your package
     repository	with other people.

     When pkg repo is invoked it creates a package repository catalogue
     (repo.sqlite), with an optional cryptographic signature, as a compressed
     tarball (repo.txz).  Repository users download and	cache this on their
     local machines, for fast lookup of	available packages by programs such as

     To	create a package repository catalogue you must specify the top-level
     directory where all the packages are stored as repo-path.	pkg repo will
     search the	filesystem beneath repo-path to	find all the packages it con-
     tains.  Directories starting with ".
     ""	or named Latest	are not	traversed.

     The repository will be created in the package directory unless the	-o
     output-dir	or --output-dir	output-dir is specified, in which case it will
     be	created	there.

     Optionally	you may	sign the repository catalogue by specifying the	path
     to	an RSA private key as the rsa-key argument or an external command.

     If	rsa-key	is used, the SHA256 of the repository is signed	using the pro-
     vided key.	 The signature is added	into the repository catalogue.	The
     client side should	use SIGNATURE_TYPE set to PUBKEY and PUBKEY set	to a
     local path	of the public key in its repository configuration file.

     An	external command can be	useful to create a signing server to keep the
     private key separate from the repository.	The external command is	passed
     the SHA256	of the repository catalogue on its stdin.  It should output
     the following format:

	   signature data here
	   public key data here

     When using	an external command, the client's pkg.conf must	have
     SIGNATURE_TYPE set	to FINGERPRINTS	and FINGERPRINTS set to	a directory
     having a trusted/myrepo containing	a fingerprint style representation of
     the public	key:

	   function: sha256
	   fingerprint:	sha256_representation_of_the_public_key

     See the EXAMPLES section and pkg.conf(5) for more information.

     Signing the catalogue is strongly recommended.

     The following options are supported by pkg	repo:

     -q, --quiet
	    Force quiet	output.

     -L, --legacy
	    Create a repository	compatible with	pkg 1.2. Note that this	is
	    only required if the repository clients will not be	upgrading to
	    pkg	1.3+. Older versions of	pkg can	upgrade	themselves even	from
	    non-legacy.	repositories, provided pkg itself is included in those

     -m	meta-file, --meta-file meta-file
	    Use	the specified file as repository meta file instead of the
	    default settings.

     -l, --list-files
	    Generate list of all files in repo as filesite.txz archive.

     -o	output-dir, --output-dir output-dir
	    Create the repository in the specified directory instead of	the
	    package directory.

     See pkg.conf(5).

     pkg_printf(3), pkg_repos(3), pkg-repository(5), pkg.conf(5), pkg(8),
     pkg-add(8), pkg-annotate(8), pkg-audit(8),	pkg-autoremove(8),
     pkg-backup(8), pkg-check(8), pkg-clean(8),	pkg-config(8), pkg-convert(8),
     pkg-create(8), pkg-delete(8), pkg-fetch(8), pkg-info(8), pkg-install(8),
     pkg-lock(8), pkg-query(8),	pkg-register(8), pkg-rquery(8),	pkg-search(8),
     pkg-set(8), pkg-shell(8), pkg-shlib(8), pkg-ssh(8), pkg-stats(8),
     pkg-update(8), pkg-updating(8), pkg-upgrade(8), pkg-version(8),

     Create an RSA key pair:

	   % openssl genrsa -out repo.key 2048
	   % chmod 0400	repo.key
	   % openssl rsa -in repo.key -out -pubout

     Create a repository and sign it with a local RSA key.  The	public key
     would be shared on	all client servers with	SIGNATURE_TYPE set to PUBKEY
     and its path set via PUBKEY setting in the	repository configuration file:

	   pkg repo /usr/ports/packages	repo.key

     Create a repository and sign it with an external command.	The client
     should set, via the repository configuration file,	SIGNATURE_TYPE to
     FINGERPRINTS and FINGERPRINTS to a	path containing	a file with the	SHA256
     of	the public key:

	   # On	signing	server:
	   % cat > << EOF
	   read	-t 2 sum
	   [ -z	"$sum" ] && exit 1
	   echo	SIGNATURE
	   echo	-n $sum	| /usr/bin/openssl dgst	-sign repo.key -sha256 -binary
	   echo	CERT
	   echo	END

	   # On	package	server:
	   % pkg repo /usr/ports/packages signing_command: ssh signing-server
	   # Generate fingerprint for sharing with clients
	   % sh	-c '( echo "function: sha256"; echo "fingerprint: $(sha256 -q"; ) > fingerprint'
	   # The 'fingerprint' file should be distributed to all clients.

	   # On	clients	with FINGERPRINTS: /usr/local/etc/pkg/fingerprints/myrepo:
	   $ mkdir -p /usr/local/etc/pkg/fingerprints/myrepo/trusted
	   # Add 'fingerprint' into /usr/local/etc/pkg/fingerprints/myrepo/trusted

FreeBSD	10.3			 April 9, 2015			  FreeBSD 10.3


Want to link to this manual page? Use this URL:

home | help