Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
PKG-REPO(8)		    System Manager's Manual		   PKG-REPO(8)

NAME
       pkg repo	-- create a package repository catalogue

SYNOPSIS
       pkg repo	[-hlqs]	[-g groups] [-m	meta-file] [-o output-dir] <repo-path>
	   [signer-type:<keyfile> | signing_command: <the command>]

       pkg    repo   [--{hash,list-files,quiet,symlink}]   [--groups   groups]
	   [--meta-file	 meta-file]  [--output-dir   output-dir]   <repo-path>
	   [signer-type:<keyfile> | signing_command: <the command>]

DESCRIPTION
       pkg  repo  is used to create a catalogue	of the available packages in a
       repository.  pkg	repo catalogues	are necessary for sharing your package
       repository, and are intrinsic to	the operation of pkg  install  or  pkg
       upgrade.

       The  current repository format is version 2.  The repository files cre-
       ated by pkg repo	consist	of a UCL metadata file and a set of compressed
       .pkg archives stored at the top level of	the repository filesystem.

       meta.conf is a plain-text UCL file that must exist at the apex  of  the
       repository  filesystem.	 It describes the repository version, compres-
       sion  format,  and  the	names  of   the	  catalogue   archives.	   See
       pkg-repository(5) for a detailed	description of its fields.

       packagesite.pkg	 is   a	  deprecated   compressed  archive  containing
       packagesite.yaml, which lists the metadata for each of the packages  in
       the  repository.	 Each package manifest is represented as a single-line
       compact JSON text, with manifests separated by newlines.	 It  is	 still
       generated for backward compatibility but	is superseded by data.pkg.

       data.pkg	 is  the  primary  catalogue archive.  It contains a JSON file
       with package manifests, package group definitions, and expired  package
       entries.	 See pkg-repository(5) for details.

       filesite.pkg    is    an	  optional   compressed	  archive   containing
       filesite.yaml, a	database of all	files present in all packages  in  the
       repository.  It is only generated when the -l flag is used.

       The  compressed archives	may also contain cryptographic signatures when
       the signing mechanism of	pkg repo is enabled.

       Repository users	download these files to	their  local  machines,	 where
       they are	processed into per-repository sqlite databases for fast	lookup
       of available packages by	programs such as pkg-install(8).

       To  create a package repository catalogue, specify the top-level	direc-
       tory beneath which all the packages are stored as repo-path.  pkg  repo
       will  search the	filesystem beneath repo-path to	find all .pkg files it
       contains.  Directories starting with `.'	or named Latest	are  not  tra-
       versed.

       The repository files will be created in the top-level repository	direc-
       tory  unless  relocated	by  specifying	-o  output-dir or --output-dir
       output-dir.

       Optionally, the repository catalogue may	be  cryptographically  signed.
       This  is	 enabled either	by specifying the path to a private key	as the
       keyfile argument	or by using an external	command.  When	a  keyfile  is
       being used, it may be prefixed by the signer type.  Currently, this may
       be  one	of  rsa, ecdsa,	or eddsa.  ecc is also accepted	as an alias of
       eddsa.  Keys for	the rsa	and ecdsa signers may be generated by  OpenSSL
       or by pkg-key(8).  Keys for the "eddsa" signer may only be generated by
       pkg-key(8).

       If  the	key is used, a hash of the repository is signed	using the pro-
       vided key.  The rsa signer will sign the	SHA256 hash of the repository,
       while the ecdsa and eddsa signers will sign  the	 BLAKE2	 hash  of  the
       repository.  The	signature is added into	the repository catalogue.  The
       client side should use SIGNATURE_TYPE set to PUBKEY and PUBKEY set to a
       local path of the public	key in its repository configuration file.

       An  external  command  can be useful to create a	signing	server to keep
       the private key separate	from the repository.  The external command  is
       passed  the SHA256 of the repository catalogue on its stdin.  It	should
       output the following format:

	     TYPE
	     signer type here (rsa, ecdsa, eddsa)
	     SIGNATURE
	     signature data here
	     CERT
	     public key	data here
	     END

       The TYPE	field is optional if using rsa,	to remain compatible with  ex-
       ternal  signing	commands historically in use.  Note that the SIGNATURE
       field's data will may require an	extra newline after it if  the	signa-
       ture  is	 output	in a binary format.  The CERT field may	contain	binary
       data, but pkg(8)	will search the	tail of	it for the missing END	if  it
       runs together.

       When  using  an	external  command,  the	 client's  pkg.conf  must have
       SIGNATURE_TYPE set to FINGERPRINTS and FINGERPRINTS set to a  directory
       having  a  trusted/myrepo containing a fingerprint style	representation
       of the public key:

	     function: sha256
	     fingerprint: \"sha256_representation_of_the_public_key\"

       See the "EXAMPLES" section and pkg.conf(5) for more information.

       Signing the catalogue is	strongly recommended.

OPTIONS
       The following options are supported by pkg repo:

       -g groups, --groups groups
	      Set the group ownership of the repository	files to groups.

       -h, --hash
	      Append a short hash of the package contents to the package file-
	      name.  This is the same as setting the PKG_REPO_HASH environment
	      variable.

       -l, --list-files
	      Generate list of all files in repo as filesite.pkg archive.

       -m meta-file, --meta-file meta-file
	      Use the specified	file as	repository meta	file  instead  of  the
	      default settings.

       -o output-dir, --output-dir output-dir
	      Create  the repository in	the specified directory	instead	of the
	      package directory.

       -q, --quiet
	      Force quiet output.

       -s, --symlink
	      Create a symlink between the hashed  filename  and  the  regular
	      filename.	 Only useful in	combination with -h.  This is the same
	      as setting the PKG_REPO_SYMLINK environment variable.

FILES
       See pkg.conf(5).

ENVIRONMENT
       PKG_REPO_HASH	 When set, rename packages with	the short hash of con-
			 tents appended	to the filename.

       PKG_REPO_SYMLINK	 When  set,  create  a	symlink	between	the short hash
			 filename and the regular filename.

SEE ALSO
       pkg_create(3),	pkg_printf(3),	  pkg_repo_create(3),	 pkg_repos(3),
       pkg-keywords(5),	 pkg-lua-script(5),  pkg-repository(5),	pkg-script(5),
       pkg-triggers(5),	  pkg.conf(5),	 pkg(8),   pkg-add(8),	 pkg-alias(8),
       pkg-annotate(8),	   pkg-audit(8),    pkg-autoremove(8),	 pkg-check(8),
       pkg-clean(8),	 pkg-config(8),	    pkg-create(8),	pkg-delete(8),
       pkg-fetch(8),  pkg-help(8),  pkg-info(8),  pkg-install(8),  pkg-key(8),
       pkg-lock(8),	pkg-plugins(8),	    pkg-query(8),     pkg-register(8),
       pkg-repositories(8),    pkg-rquery(8),	 pkg-search(8),	   pkg-set(8),
       pkg-shell(8), pkg-shlib(8), pkg-ssh(8), pkg-stats(8),  pkg-triggers(8),
       pkg-unregister(8),   pkg-update(8),   pkg-updating(8),  pkg-upgrade(8),
       pkg-version(8), pkg-which(8)

EXAMPLES
       Create an RSA key pair:

	     % openssl genrsa -out repo.key 2048
	     % chmod 0400 repo.key
	     % openssl rsa -in repo.key	-out repo.pub -pubout

       Create a	repository and sign it with a local RSA	key.  The  public  key
       would be	shared on all client servers with SIGNATURE_TYPE set to	PUBKEY
       and  its	 path  set  via	PUBKEY setting in the repository configuration
       file:

	     pkg repo /usr/ports/packages repo.key

       Create a	repository and sign it with an external	command.   The	client
       should  set,  via  the repository configuration file, SIGNATURE_TYPE to
       FINGERPRINTS and	FINGERPRINTS to	a path	containing  a  file  with  the
       SHA256 of the public key:

	     # On signing server:
	     % cat > sign.sh <<	EOF
	     #!/bin/sh
	     read -t 2 sum
	     [ -z "$sum" ] && exit 1
	     echo SIGNATURE
	     echo -n $sum | /usr/bin/openssl dgst -sign	repo.key -sha256 -binary
	     echo
	     echo CERT
	     cat repo.pub
	     echo END
	     EOF

	     # On package server:
	     % pkg repo	/usr/ports/packages signing_command: ssh signing-server	sign.sh
	     # Generate	fingerprint for	sharing	with clients
	     % sh -c '(	echo "function:	sha256"; echo "fingerprint: \"$(sha256 -q repo.pub)\"";	) > fingerprint'
	     # The 'fingerprint' file should be	distributed to all clients.

	     # On clients with FINGERPRINTS: /usr/local/etc/pkg/fingerprints/myrepo:
	     $ mkdir -p	/usr/local/etc/pkg/fingerprints/myrepo/trusted
	     # Add 'fingerprint' into /usr/local/etc/pkg/fingerprints/myrepo/trusted

       The above examples can be repeated with OpenSSL creating	a key pair for
       ECDSA:

	     % openssl ecparam -genkey -name secp256k1 -out repo.key -outform DER
	     % chmod 0400 repo.key
	     % openssl ec -in repo.key -out repo.pub -pubout -outform DER

       Prefixing the later repo.key reference with "ecdsa":

	     pkg repo /usr/ports/packages ecdsa:repo.key

       The  signing server example can be used mostly as-is, but with the fol-
       lowing text placed before the SIGNATURE section in the  signing	server
       output:

	     TYPE
	     ecdsa

       For EdDSA instead, create an EdDSA key pair:

	     % pkg key --create	-t eddsa repo.key > repo.pub

       Create  a repository and	sign it	with a local key.  As with the RSA ex-
       ample above, the	public key would be shared on all client servers  with
       SIGNATURE_TYPE  set to PUBKEY and its path set via the PUBKEY option in
       the repository configuration file:

	     pkg repo /usr/ports/packages eddsa:repo.key

       A signing server	for EdDSA could	be constructed with the	--sign option.

FreeBSD	ports 15.1	       January 17, 2021			   PKG-REPO(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pkg-repo&manpath=FreeBSD+15.1-RELEASE+and+Ports>

home | help