Command reference

A place to note and reference how to run various commands

apt-key is deprecated, how to add repos and keys

This (now) familiar error:

W: GPG error: http://download.example.com/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1140AF8F639E0C39
E: The repository 'http://download.example.com/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The path where keys are stored has changed, and you sneed a signed-by attribute in the repo .list file referencing the key's path.

TLDR

  • new path for key files, use /etc/apt/keyrings (or /usr/share/keyrings if its your repo)
  • add a signed-by to the .list file, refercing the filename:
    deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/debian bookworm main
    
  • remove old keys from apt-key

De-armoring the key

Convert the file from the ASCII armor to binary format (the pipe is important, havent found the right args to gpg to do it without stdin).

$  file key.asc
key.asc: OpenPGP Public Key Version 4, Created Mon Nov  9 06:59:32 2020, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate

$ cat key.asc| gpg --dearmor > key.gpg

$ file key.gpg
key.gpg: OpenPGP Public Key Version 4, Created Mon Nov  9 06:59:32 2020, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate

This step isnt really needed, debian just recomennded it for compatability reasons

Add the repo referencing the file

Move it into place and ensure correct ownership:

$ sudo cp key.gpg /etc/apt/keyrings/
$ sudo chown root:root /etc/apt/keyrings/key.gpg
$ sudo chown 644 /etc/apt/key.gpg

Add the repos .list file with ansible:

- name: add apt repo
  apt_repository:
    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main"
    #repo: "deb [arch=amd64] http://download.proxmox.com/{{ ansible_lsb.id | lower }}/pve {{ ansible_lsb.codename | lower}} pve-no-subscription"
    state: present
    update_cache: false
    filename: /etc/apt/sources.list.d/example

Which should look something like this

$ cat /etc/apt/sources.list.d/example
deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/debian bookworm main

With signed-by referencing where the file exists on your filesystem.

Alternative repo defintions and ansible modules

Alternatively use the deb822_repository module:

- name: add your repo
  deb822_repository:
    name: example
    types: deb
    uris: http://download.example.com/{{ ansible_distribution | lower }}
    suites: "{{ ansible_distribution_release }}"
    components: stable
    architectures: amd64
    signed_by: /etc/apt/keyrings/key.gpg

Or even more alternatively instead of .list file, create a .sources file like /etc/apt/sources.list.d/example.sources:

Types: deb
URIs: http://download.example.com
Suites: {{ ansible_distribution | lower }}
Components: main
Signed-By: /etc/apt/keyrings/key.gpg

Clean up old keys from apt-key

Then clean up the key from apt-key if it was there already. List existing keys with

$ sudo apt-get list

Debian/ubuntu keys are still there for compatability reasons, so grep them out:

$ sudo apt-get list | grep uid | grep -vi debian

If that turns up any keys, delete them:

$ sudo apt-key del support@example.com.

Now you can apt update and apt install and etc.

basic certbot usage

Create (request) a new cert for ${name}:

certbot certonly -d ${name}

The new cert exists in the certbot-managed dir /etc/letsencrypt/live:

~:$ ls -d /etc/letsencrypt/live/${name}
/etc/letsencrypt/live/${name}

If you need to delete/revoke a cert for ${name}:

certbot delete --cert-name ${name}

Stream usb camera with VLC without transcoding

cvlc v4l2:///dev/video0 --sout '#standard{access=http,mux=ts,dst=:8080}'

Git submodules

By default they are added at fixed commits. Now git can set submodules to track branches. Its still fiddly and im not sure its working correctly for me.

Adding a new submodule tracking $branch:

branch=main

# add submodule to track a branch
git submodule add -b $branch $url;

# update submodule
git submodule update --remote

Change an existing submodule to track $branch:

submodule=foo
branch=main

# change the submodule defintion in the parent repo
git config -f .gitmodules submodule.${submodule}.branch $branch

# and make sure the submodule itself is actually at that branch
cd $submodule
git checkout $branch
git branch -u origin/$branch $branch

This how I have currently used it in ben/builds, but not sure its correct. Also not sure that repo is a good idea or if I should go back to separate repos.

References