Wednesday, April 30, 2014

Private Debian secure apt repository

Secure apt was introduced in Debian 3 (Sarge) in 2005.  Secure apt requires crypto signing (PGP) of the Release file, not the deb packages.  Without secure apt installation of packages will prompt for verification before installation.

Trivial apt repositories use a simple flat file structure, but do not support "secure apt".  Hence, in order to set up an apt repository that does not prompt for verification of package updates such as a Personal Package Archive (PPA) it is necessary to configure a non-trivial apt repository.

The non-trivial repository file structure must contain:
debian
 + dists
     + { archive, e.g. stable } /Release, Release.gpg(package release info)
         + { component, e.g. main }
             + { architecture, e.g binary-amd64 } /Packages, Packages.gz, Release(architecture release info)
             + source / (if empty, source packages will not be available)
 + pool /*.deb (Packages)


To set up crypto ability on the server install and run gpg. RSA key required, 4096 bytes recommended, if a blank password is used you will not be prompted for a password to sign the Release file.


Notes:
*The package Release file *must* contain a line for "Suite: "
**Create the Packages files *before* creating the package Release file.


To create a package list Release file use an application like apt-ftparchive. Note that the files listed in the Release file must be relative to the debian/dists/{archive} directory. E.g.:
 cd /var/www/debian/dists/stable
 echo "Suite: stable" > Release
 apt-ftparchive release . >> Release

One example method of how to sign the Release file:
 cd /var/www/debian/stable
 gpg --default-key "My key name" -abs -o Release.gpg Release  

To use the repository on a client add a line to /etc/apt/sources.list.d/custom.list:
 deb http://{server}/debian/  {archive}  {component}

To remove the verification prompt on the client export the key from the server, transfer to the client and install to apt:
Server: gpg --armor --export "My key name" > myserver.gpg.key
Client: apt-key add myserver.gpg.key



Friday, April 25, 2014

Flash Player with QtWeb

QtWeb 3.8.5 on Linux uses the following location to load the Flash Player plugin:
/usr/lib64/nsbrowser/plugins/libflashplayer.so
The file should be marked as executable.
Note, according to Qt Project documentation QtWebKit will also search other paths - for details see:
http://qt-project.org/doc/qt-4.8/qtwebkit.html#netscape-plugin-support

Because QtWeb is 32-bit this can conflict with other web browsers installed on 64-bit Linux.  To avoid this issue put the libflashplayer.so file in another location such as:
/usr/local/lib32/qtweb/plugins/libflashplayer.so
Then edit the desktop file to use an Exec line such as:
Exec=env MOZ_PLUGIN_PATH=":/usr/local/lib32/qtweb/plugins" /usr/local/bin/QtWeb
 - this will apply the environment variable only to the process where QtWeb is launched.


To see other files and locations that QtWeb is trying to access you can use strace:
strace -e open QtWeb
or to grep a specific keyword (e.g. plugin):
strace -e open QtWeb 2>&1 grep -i plugin