Shortcuts

From Our Customers

As an IT outsourcing provider to small and mid sized companies Lemon Computing uses Firewall Builder to manage firewalls at customer sites and in our data centre.

Read More...

Martijn D.
Managing Director

Search Users Guide

2.7. RPM and Deb Repositories for Stable and Testing Packages
Prev Next

2.7. RPM and Deb Repositories for Stable and Testing Packages

In addition to the packages that ship with Linux distributions, we maintain repositories of RPM and Deb packages of Firewall Builder, including both stable releases and testing builds.

2.7.1. Debian/Ubuntu Packages Repository

To access the Debian/Ubuntu repository of stable packges, add the following line to the file /etc/apt/sources.list (replace "maverick" in the example with "lucid" or another name, depending on your version): 

deb http://www.fwbuilder.org/deb/stable/ maverick contrib

To access Debian/Ubuntu repository of testing packges, add the following line to the file /etc/apt/sources.list (replace "maverick" in the example with "lucid" or another name, depending on your version): 

deb http://www.fwbuilder.org/deb/testing/ maverick contrib

If you wish to follow only stable releases, add only the line with "/deb/stable" url.

Packages in all repositories are signed with GPG key with ID EAEE08FE "Firewall Builder Project (Package Signing Key) <pkgadmin@fwbuilder.org>". Download public key and add it to your key chain to be able to verify the integrity of the packages in repositories. To add the key on Debian/Ubuntu, use the following commands: 

wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc
apt-key add PACKAGE-GPG-KEY-fwbuilder.asc

2.7.1.1. Configuring debsig-verify to Verify Package Signatures

This step is optional, but it is highly recommended in order to ensure authenticity of the installed Firewall Builder packages. If you do not configure debsig-verify, package signatures are not verified; however, apt tools attempts to install them anyway.

Unfortunately, it is not enough to just add the key to apt-get, you must also install the debsig-verify package and configure it. Consult one of the HOWTO guides on the Internet describing how to set up debsig-verify tools to verify signed packages. One such guide can be found here: Signing .deb packages. See section #4 "Setup the machine(s) that will be downloading and verifying the package" in it.

The following briefly describes the debsig-verify installation and configuration process.

First, you must install debsig-verify and gpg: 

aptitude install debsig-verify gpg

Import our key and check its fingerprint: 

gpg --import PACKAGE-GPG-KEY-fwbuilder.asc
gpg --fingerprint

gpg --fingerprint prints something like this: 

------------------------
pub   1024D/EAEE08FE 2009-05-17
Key fingerprint = 5397 6AA1 5E71 2F74 947B  4496 EF2E DD98 EAEE 08FE
uid                  Firewall Builder Project (Package Signing Key) <pkgadmin@fwbuilder.org>
sub   2048g/FE31D386 2009-05-17

The key ID is EAEE08FE. Its fingerprint is the last four groups of hexadecimal digits in the "Key fingerprint" line: EF2EDD98EAEE08FE (remove white spaces).

The next step is to import the key into the debsig keyring, as follows: 

mkdir /usr/share/debsig/keyrings/EF2EDD98EAEE08FE
gpg --no-default-keyring \
    --keyring /usr/share/debsig/keyrings/EF2EDD98EAEE08FE/debsig.gpg \
    --import PACKAGE-GPG-KEY-fwbuilder.asc

Next, create the debsig-verify policy file: 

mkdir /etc/debsig/policies/EF2EDD98EAEE08FE/
vi /etc/debsig/policies/EF2EDD98EAEE08FE/fwbuilder-testing.pol

The policy file is in XML and looks similar to the following: 

<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="http://www.debian.org/debsig/1.0/">

<Origin Name="Firewall Builder" id="EF2EDD98EAEE08FE"
Description="Firewall Builder Package"/>

<Selection>
<Required Type="origin" File="debsig.gpg" id="EF2EDD98EAEE08FE"/>
</Selection>

<Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="EF2EDD98EAEE08FE"/>
</Verification>

</Policy>

Note how the key fingerprint is used as an ID in all XML elements.

apt-get, aptitude, and other apt tools save downloaded packages in the directory /var/cache/apt/archives/. You can use debsig-verify to verify the saved copy, as follows: 

# debsig-verify /var/cache/apt/archives/libfwbuilder_4.1.3-b3421-ubuntu-maverick-1_amd64.deb 
debsig: Verified package from `package from Firewall Builder' (Firewall Builder)

At this point in the process, apt-get and other apt tools call debsig-verify to verify packages they are about to install or upgrade.

2.7.1.2. Troubleshooting .deb Repository Access

After this, you should be able to install and update Firewall Builder packages using synaptic or aptitude.

Note that apt caches package information. Consequently, newly released packages may not match cached data when you try to install them. Run apt-get update before you install or upgrade packages to refresh cached data. If you do not, a "Size mismatch" error occurs. Unfortunately, this error is not very descriptive. Note that if you perform this procedure from the command line using apt-get, the system suggests running apt-get update; however, unfortunately, the update manager truncates this part of the error message. If this occurs, run apt-get update or aptitude update from the command line before performing the update.

Prev  Up  Next
2.6. Compiling from Source  Home  2.7.2. RPM Packages Repository
 

Copyright © 2000-2011 NetCitadel, LLC. All rights reserved.
 Using free CSS Templates.