Command reference
A place to note and reference how to run various commands
apt-key
is deprecated, how to add repos and keys- basic
certbot
usage - Stream usb camera with VLC without transcoding
- Git submodules
apt-key
is deprecated, how to add repos and keys
This (now) familiar error:
W: GPG error: http://download.example.com/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1140AF8F639E0C39
E: The repository 'http://download.example.com/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
The path where keys are stored has changed, and you sneed a signed-by
attribute in the repo .list
file referencing the key's path.
TLDR
- new path for key files, use
/etc/apt/keyrings
(or/usr/share/keyrings
if its your repo) - add a
signed-by
to the.list
file, refercing the filename:deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/debian bookworm main
- remove old keys from
apt-key
De-armoring the key
Convert the file from the ASCII armor to binary format (the pipe is important, havent found the right args to gpg
to do it without stdin).
$ file key.asc
key.asc: OpenPGP Public Key Version 4, Created Mon Nov 9 06:59:32 2020, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
$ cat key.asc| gpg --dearmor > key.gpg
$ file key.gpg
key.gpg: OpenPGP Public Key Version 4, Created Mon Nov 9 06:59:32 2020, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
This step isnt really needed, debian just recomennded it for compatability reasons
Add the repo referencing the file
Move it into place and ensure correct ownership:
$ sudo cp key.gpg /etc/apt/keyrings/
$ sudo chown root:root /etc/apt/keyrings/key.gpg
$ sudo chown 644 /etc/apt/key.gpg
Add the repos .list
file with ansible:
- name: add apt repo
apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main"
#repo: "deb [arch=amd64] http://download.proxmox.com/{{ ansible_lsb.id | lower }}/pve {{ ansible_lsb.codename | lower}} pve-no-subscription"
state: present
update_cache: false
filename: /etc/apt/sources.list.d/example
Which should look something like this
$ cat /etc/apt/sources.list.d/example
deb [arch=amd64 signed-by=/etc/apt/keyrings/key.gpg] http://download.example.com/debian bookworm main
With signed-by
referencing where the file exists on your filesystem.
Alternative repo defintions and ansible modules
Alternatively use the deb822_repository
module:
- name: add your repo
deb822_repository:
name: example
types: deb
uris: http://download.example.com/{{ ansible_distribution | lower }}
suites: "{{ ansible_distribution_release }}"
components: stable
architectures: amd64
signed_by: /etc/apt/keyrings/key.gpg
Or even more alternatively instead of .list
file, create a .sources
file like /etc/apt/sources.list.d/example.sources
:
Types: deb
URIs: http://download.example.com
Suites: {{ ansible_distribution | lower }}
Components: main
Signed-By: /etc/apt/keyrings/key.gpg
Clean up old keys from apt-key
Then clean up the key from apt-key
if it was there already. List existing keys with
$ sudo apt-get list
Debian/ubuntu keys are still there for compatability reasons, so grep
them out:
$ sudo apt-get list | grep uid | grep -vi debian
If that turns up any keys, delete them:
$ sudo apt-key del support@example.com.
Now you can apt update
and apt install
and etc.
basic certbot
usage
Create (request) a new cert for ${name}
:
certbot certonly -d ${name}
The new cert exists in the certbot
-managed dir /etc/letsencrypt/live
:
~:$ ls -d /etc/letsencrypt/live/${name}
/etc/letsencrypt/live/${name}
If you need to delete/revoke a cert for ${name}
:
certbot delete --cert-name ${name}
Stream usb camera with VLC without transcoding
cvlc v4l2:///dev/video0 --sout '#standard{access=http,mux=ts,dst=:8080}'
Git submodules
By default they are added at fixed commits. Now git
can set submodules to track branches. Its
still fiddly and im not sure its working correctly for me.
Adding a new submodule tracking $branch
:
branch=main
# add submodule to track a branch
git submodule add -b $branch $url;
# update submodule
git submodule update --remote
Change an existing submodule to track $branch
:
submodule=foo
branch=main
# change the submodule defintion in the parent repo
git config -f .gitmodules submodule.${submodule}.branch $branch
# and make sure the submodule itself is actually at that branch
cd $submodule
git checkout $branch
git branch -u origin/$branch $branch
This how I have currently used it in ben/builds
, but not sure its correct. Also not sure that repo
is a good idea or if I should go back to separate repos.
References
- Stack Overflow: How can I specify a branch/tag when adding a Git submodule? - Answer for new submodules
- Stack Overflow: How can I specify a branch/tag when adding a Git submodule? - Answer for existing submodules
- Stack Overflow: Force Git modules to always stay current