From 21cc6a48132fea10c678c3e851c49e03fd49da84 Mon Sep 17 00:00:00 2001 From: Jessey van Offeren Date: Fri, 22 May 2026 15:44:41 +0200 Subject: [PATCH] docs: document the proper (GPG-verified, deb822) apt setup Replace the trusted=yes apt instructions with the proper method: read:package token, registry signing key dearmored into /etc/apt/keyrings, credentials in auth.conf.d, and a modern deb822 .sources file with Signed-By + Architectures: all. Keeps the trusted=yes one-liner as a noted fallback for unsigned registries. Co-Authored-By: Claude Opus 4.7 (1M context) --- README.md | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 34f2cb0..5913a63 100644 --- a/README.md +++ b/README.md @@ -41,22 +41,39 @@ apt pulls the GUI dependencies (PySide6, pyte) automatically: sudo apt install ./rigdoctor_*_all.deb # CLI only: add --no-install-recommends ``` -**Or add the apt repository** for `apt install` + automatic updates: +**Or add the apt repository** for `apt install` + automatic updates. The registry is private and +GPG-signed, so you need a Gitea token with **`read:package`**, the signing key, and the deb822 +source (`read -rsp` keeps the token out of your shell history): ```bash -# the registry is private, so give apt a token (a Gitea PAT with read:package) -echo "machine git.jesseyvanofferen.com login password " \ - | sudo tee /etc/apt/auth.conf.d/rigdoctor.conf -sudo chmod 600 /etc/apt/auth.conf.d/rigdoctor.conf +read -rsp 'Gitea read:package token: ' TOKEN; echo -echo "deb [trusted=yes] https://git.jesseyvanofferen.com/api/packages/jessey/debian stable main" \ - | sudo tee /etc/apt/sources.list.d/rigdoctor.list +# signing key → dearmored into the keyring (the key endpoint requires the token too) +sudo install -d -m 0755 /etc/apt/keyrings +curl -fsSL --user :"$TOKEN" \ + https://git.jesseyvanofferen.com/api/packages/jessey/debian/repository.key \ + | sudo gpg --dearmor -o /etc/apt/keyrings/gitea-jessey.gpg + +# download credentials, kept out of the sources file +printf 'machine git.jesseyvanofferen.com login password %s\n' "$TOKEN" \ + | sudo tee /etc/apt/auth.conf.d/rigdoctor.conf >/dev/null +sudo chmod 0600 /etc/apt/auth.conf.d/rigdoctor.conf + +# the source (modern deb822 format, GPG-verified, all-arch) +sudo tee /etc/apt/sources.list.d/rigdoctor.sources >/dev/null <<'EOF' +Types: deb +URIs: https://git.jesseyvanofferen.com/api/packages/jessey/debian +Suites: stable +Components: main +Architectures: all +Signed-By: /etc/apt/keyrings/gitea-jessey.gpg +EOF sudo apt update && sudo apt install rigdoctor ``` -Then `sudo apt upgrade` keeps it current. *(If your server serves a signed registry, drop the -`auth.conf.d` file and replace `[trusted=yes]` with `[signed-by=…]` + the `repository.key`.)* +Then `sudo apt upgrade` keeps it current. *(Quick-and-dirty alternative if the registry isn't +signed: skip the key and use a one-line `deb [arch=all trusted=yes] …/debian stable main` source.)* ### Any distro — self-extracting `.run` (no root)