🆕 [Debian/Ubuntu users] Feedback on new package feed

[shiftkey]

I'm looking to migrate away from PackageCloud for many reasons, and after a bunch of false starts I have a new server setup with the necessary keys and bits that this should work as-is:

https://apt.packages.shiftkey.dev/

Relevant steps:

• install the GPG key associated with the signing key

wget -qO - https://apt.packages.shiftkey.dev/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/shiftkey-packages.asc > /dev/null

• add the package feed to apt

sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.gpg] https://apt.packages.shiftkey.dev/ubuntu/ any main" > /etc/apt/sources.list.d/shiftkey-packages-desktop.list'

• Refresh the feed

sudo apt update

If you have a previous version of github-desktop installed, you should be able to upgrade to the latest release from earlier this week, otherwise you can manually install the latest version 3.1.7-linux1:

sudo apt install github-desktop

Before I update the docs to point everyone to this I figure I'd open this up to anyone who wants to test it out and ensure I haven't missed any details...

[mwt]

Cool. I have a script that I've been using for a while over here:

https://github.com/mwt/desktop-makerepo

The script scans the github releases and adds new apt/rpm to the repos. There might be something useful in there that you can use (particularly the steps after scanning releases for rpm).

Edit: The repo works for me.

[jfgordon2]

Tested successfully on Ubuntu 22.04 - looking great 👍

[mwt]

I should set the origin of my mirror to these two new feeds so that packages are updated. If I do this, I think existing users will get a gpg error because they key likely changed. I think this is fine.

I could get around this by setting the new repo in a different path (i.e. not /ghd/) and put a more descriptive error on the old path that sends people to an issue that explains the transition. This is probably the smart way.

[mwt]

I set up a mirror from the new origins here:
https://mirror.mwt.me/shiftkey-desktop/

It seems to be working. There are two options:

1. Move /shiftkey-desktop/ -> /ghd/. Users will get a GPG error and come to the repo where they will see updated instructions.
2. Update readme to /shiftkey-desktop/ and put a descriptive error on /ghd/ so that users understand that they have to transition.

I think 2 will result in fewer issues being filed here.

[phanect]

@shiftkey Thanks for creating the official deb repository!

Unfortunately, it didn't work as expected on my end.
I use KDE neon, an Ubuntu variant. I think it should not so different from Ubuntu.

I installed the GPG key and repository info as written in the README.

wget -qO - https://apt.packages.shiftkey.dev/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/shiftkey-packages.asc > /dev/null
sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.asc] https://apt.packages.shiftkey.dev/ubuntu/ any main" > /etc/apt/sources.list.d/shiftkey-packages.list'

Then I ran sudo apt update, but GPG error was raised.

$ sudo apt update
Hit:1 http://download.virtualbox.org/virtualbox/debian jammy InRelease
Hit:2 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                                                     
Hit:3 https://apt.releases.hashicorp.com jammy InRelease                                                                                                                                                          
Hit:4 http://packages.microsoft.com/repos/code stable InRelease                                                                                                                                                   
Hit:5 https://download.docker.com/linux/ubuntu jammy InRelease                                                                                                                                                    
Hit:6 https://deb.nodesource.com/node_18.x jammy InRelease                                                                                                                                                        
Get:7 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]                                                                                                                                         
Hit:8 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                                           
Get:9 https://apt.packages.shiftkey.dev/ubuntu any InRelease [1,226 B]                                                                                           
Err:9 https://apt.packages.shiftkey.dev/ubuntu any InRelease                                                                                                                   
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]                                                                    
Hit:11 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease                                                                         
Get:12 http://archive.neon.kde.org/user jammy InRelease [178 kB]                                                                                       
Reading package lists... Done                                                                       
W: GPG error: https://apt.packages.shiftkey.dev/ubuntu any InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
E: The repository 'https://apt.packages.shiftkey.dev/ubuntu any InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
$
$ cat /etc/apt/sources.list.d/shiftkey-packages.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.asc] https://apt.packages.shiftkey.dev/ubuntu/ any main
$ ls /etc/apt/keyrings/shiftkey-packages.asc
/etc/apt/keyrings/shiftkey-packages.asc

I found InRelease may have wrong Origin and Label: https://apt.packages.shiftkey.dev/ubuntu/dists/any/InRelease
In InRelease, Origin and Label's values are packages.shiftkey.online, while the actual hostname is apt.packages.shiftkey.dev.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: packages.shiftkey.online
Label: packages.shiftkey.online
Codename: any
Date: Sun, 19 Feb 2023 20:32:57 UTC
Architectures: amd64
Components: main
Description: Package feed for GitHub Desktop on Linux packages
...

Can you check the configuration?
Thanks!

[mwt]

@phanect afaik origin and label shouldn't cause an error like that. For example, these always differ from the hostname of any mirror (such as the official Ubuntu mirrors) and there is no issue caused by this.

The InRelease has the right signature. Perhaps there is something wrong with your local copy of shiftkey-packages.asc? Try running:

gpg --show-keys /etc/apt/keyrings/shiftkey-packages.asc

The output should be something like:

pub   ed25519 2023-02-19 [SC] [expires: 2028-02-18]
      4E02A356A18314B00A481F067FC979028B1997C1
uid                      Brendan Forster <packages@brendanforster.com>
sub   cv25519 2023-02-19 [E] [expires: 2028-02-18]

If not, then the first command (wget -qO - https://apt.packages.shiftkey.dev/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/shiftkey-packages.asc > /dev/null) should be rerun.

[shiftkey]

@phanect that's a good point - I'll get that into an update when I generate the next release, but I don't think that's why you're seeing GPG errors with the feed. As @mwt mentioned, let's confirm the GPG key you have is which one we expect to have...

[phanect]

@mwt @shiftkey Thanks for your assistance.

I have run the command, and it shows the identical result as @mwt's output:

$ gpg --show-keys /etc/apt/keyrings/shiftkey-packages.asc
pub   ed25519 2023-02-19 [SC] [expires: 2028-02-18]
      4E02A356A18314B00A481F067FC979028B1997C1
uid                      Brendan Forster <packages@brendanforster.com>
sub   cv25519 2023-02-19 [E] [expires: 2028-02-18]

afaik origin and label shouldn't cause an error like that.

If I remember correctly, it caused an error when I was trying to create a deb repo.
Actually, I was working on creating a deb repo for github-desktop these two or three days. (I didn't know @shiftkey is working on creating the repo by himself 😂)
While I was working on it, I changed the hostname from deb.phanective.org to apt.phanective.org, but I forgot to change the Origin and Label, and it caused an error.

KDE neon uses PackageKit as a package manager frontend while it is based on apt and deb, so perhaps it might have more strict restrictions than Ubuntu.

[mwt]

Hmm. The only thing I can think of is that there is possibly some other file in /etc/apt/sources.list.d/ with the same link without the signed-by part?

KDE neon uses PackageKit as a package manager frontend while it is based on apt and deb, so perhaps it might have more strict restrictions than Ubuntu.

I don't think so. Too much would break. An example from the legacy packagecloud mirror:
https://mirror.mwt.me/ghd/deb/dists/any/InRelease

The purpose of origin is not to copy the hostname. Apt already knows the hostname. It's purpose is to give the canonical source.

Edit: Maybe also try replacing the .asc extension with .gpg. Apt might be assuming that the key is armored.

[phanect]

@mwt Thanks.

Hmm. The only thing I can think of is that there is possibly some other file in /etc/apt/sources.list.d/ with the same link without the signed-by part?

I confirmed there is only one file pointing to apt.packages.shiftkey.dev repo in /etc/apt/sources.list.d.

$ cat /etc/apt/sources.list.d/*
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu   jammy stable
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main
deb http://archive.neon.kde.org/user jammy main
deb-src http://archive.neon.kde.org/user jammy main
deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x jammy main
deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x jammy main
deb https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy main
deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.asc] https://apt.packages.shiftkey.dev/ubuntu/ any main
deb http://download.virtualbox.org/virtualbox/debian jammy contrib
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code stable main

I also tried to your mirror (mirror.mwt.me) and apt update also raised the same error.

$ sudo apt update
Hit:1 http://download.virtualbox.org/virtualbox/debian jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease                                                                                                                                                    
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                                                     
Hit:4 http://packages.microsoft.com/repos/code stable InRelease                                                                                                             
Hit:5 https://apt.releases.hashicorp.com jammy InRelease                                                                                                                                                          
Get:6 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]                                                                                                                                         
Hit:7 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                                                                                  
Get:8 https://deb.nodesource.com/node_18.x jammy InRelease [4,563 B]                                                                                                                                     
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]                                                                                                                                           
Get:10 https://apt.packages.shiftkey.dev/ubuntu any InRelease [1,226 B]                                                                                                                                           
Err:10 https://apt.packages.shiftkey.dev/ubuntu any InRelease                                                                                                                                                     
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
Get:11 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease [1,226 B]                                                                                                                     
Err:11 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease                                                                                                                                                   
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
Get:12 https://deb.nodesource.com/node_18.x jammy/main amd64 Packages [777 B]                                                                                                 
Get:13 http://security.ubuntu.com/ubuntu jammy-security/main amd64 DEP-11 Metadata [41.6 kB]                                                                                          
Get:14 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 DEP-11 Metadata [15.2 kB]                                                              
Hit:15 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease                                
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 DEP-11 Metadata [101 kB]                     
Get:17 http://archive.neon.kde.org/user jammy InRelease [178 kB] 
Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 DEP-11 Metadata [267 kB]
Get:19 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 DEP-11 Metadata [940 B]
Reading package lists... Done               
W: GPG error: https://apt.packages.shiftkey.dev/ubuntu any InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
E: The repository 'https://apt.packages.shiftkey.dev/ubuntu any InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://mirror.mwt.me/shiftkey-desktop/deb any InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
E: The repository 'https://mirror.mwt.me/shiftkey-desktop/deb any InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Edit: Maybe also try replacing the .asc extension with .gpg. Apt might be assuming that the key is armored.

Unfortunately, it didn't solve the problem.

$ sudo mv /etc/apt/keyrings/shiftkey-packages.asc /etc/apt/keyrings/shiftkey-packages.gpg
$ sudo mv /etc/apt/keyrings/mwt-desktop.asc /etc/apt/keyrings/mwt-desktop.gpg
$ sudo apt update
Hit:1 http://download.virtualbox.org/virtualbox/debian jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease                                                                                                                                                    
Hit:3 http://packages.microsoft.com/repos/code stable InRelease                                                                                                                                                   
Hit:4 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                                                     
Hit:5 https://apt.releases.hashicorp.com jammy InRelease                                                                                                                                                          
Hit:6 https://deb.nodesource.com/node_18.x jammy InRelease                                                                                                                                                        
Get:7 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease [1,226 B]                                                                                                                                          
Err:7 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease                                                                                                                                                  
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
Hit:8 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                                 
Hit:9 http://security.ubuntu.com/ubuntu jammy-security InRelease                                                                                       
Hit:10 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                                                                  
Get:11 https://apt.packages.shiftkey.dev/ubuntu any InRelease [1,226 B]                                                          
Err:11 https://apt.packages.shiftkey.dev/ubuntu any InRelease                     
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
Hit:12 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease
Get:13 http://archive.neon.kde.org/user jammy InRelease [178 kB]
Reading package lists... Done    
W: GPG error: https://mirror.mwt.me/shiftkey-desktop/deb any InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
E: The repository 'https://mirror.mwt.me/shiftkey-desktop/deb any InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://apt.packages.shiftkey.dev/ubuntu any InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FC979028B1997C1
E: The repository 'https://apt.packages.shiftkey.dev/ubuntu any InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Thanks anyway for your advice.

[mwt]

Unfortunately, it didn't solve the problem.

You need to change the signed-by strings in the source list file to use the new path that you moved the files to.

[phanect]

Unfortunately, it didn't solve the problem.

You need to change the signed-by strings in the source list file to use the new path that you moved the files to.

Year, I just noticed I forgot to change signed-by in the shiftkey-packages.list 😅
By changing that, the problem was resolved.

$ sudo apt update
Hit:1 http://download.virtualbox.org/virtualbox/debian jammy InRelease
Hit:2 http://packages.microsoft.com/repos/code stable InRelease                                                                                                                                                   
Hit:3 https://deb.nodesource.com/node_18.x jammy InRelease                                                                                                                                                        
Hit:4 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                                                     
Hit:5 https://download.docker.com/linux/ubuntu jammy InRelease                                                                                                                                                    
Hit:6 https://apt.releases.hashicorp.com jammy InRelease                                                                                                                                                          
Hit:7 http://security.ubuntu.com/ubuntu jammy-security InRelease                                                                                                                                                  
Get:8 https://apt.packages.shiftkey.dev/ubuntu any InRelease [1,226 B]                                                                                                                    
Get:9 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease [1,226 B]                                                                                                                  
Get:10 https://apt.packages.shiftkey.dev/ubuntu any/main amd64 Packages [617 B]                                                                                     
Hit:11 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                   
Hit:12 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                                                                    
Get:13 https://mirror.mwt.me/shiftkey-desktop/deb any/main amd64 Packages [617 B]                                                
Hit:14 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease
Get:15 http://archive.neon.kde.org/user jammy InRelease [178 kB]
Fetched 181 kB in 2s (87.1 kB/s)   
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
$ cat /etc/apt/sources.list.d/shiftkey-packages.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.gpg] https://apt.packages.shiftkey.dev/ubuntu/ any main

Thanks so much for your assistance!

[mwt]

Unfortunately, it didn't solve the problem.

You need to change the signed-by strings in the source list file to use the new path that you moved the files to.

Year, I just noticed I forgot to change signed-by in the shiftkey-packages.list 😅
By changing that, the problem was resolved.

$ sudo apt update
Hit:1 http://download.virtualbox.org/virtualbox/debian jammy InRelease
Hit:2 http://packages.microsoft.com/repos/code stable InRelease                                                                                                                                                   
Hit:3 https://deb.nodesource.com/node_18.x jammy InRelease                                                                                                                                                        
Hit:4 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                                                                                     
Hit:5 https://download.docker.com/linux/ubuntu jammy InRelease                                                                                                                                                    
Hit:6 https://apt.releases.hashicorp.com jammy InRelease                                                                                                                                                          
Hit:7 http://security.ubuntu.com/ubuntu jammy-security InRelease                                                                                                                                                  
Get:8 https://apt.packages.shiftkey.dev/ubuntu any InRelease [1,226 B]                                                                                                                    
Get:9 https://mirror.mwt.me/shiftkey-desktop/deb any InRelease [1,226 B]                                                                                                                  
Get:10 https://apt.packages.shiftkey.dev/ubuntu any/main amd64 Packages [617 B]                                                                                     
Hit:11 http://archive.ubuntu.com/ubuntu jammy InRelease                                                                                   
Hit:12 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                                                                    
Get:13 https://mirror.mwt.me/shiftkey-desktop/deb any/main amd64 Packages [617 B]                                                
Hit:14 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease
Get:15 http://archive.neon.kde.org/user jammy InRelease [178 kB]
Fetched 181 kB in 2s (87.1 kB/s)   
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
$ cat /etc/apt/sources.list.d/shiftkey-packages.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/shiftkey-packages.gpg] https://apt.packages.shiftkey.dev/ubuntu/ any main

Thanks so much for your assistance!

Oof. No problem!

I guess some versions of apt assume that any .asc key is ASCII-armored.

@shiftkey readme should probably have all instances of .asc replaced with .gpg.

[phanect]

I opened #839 to fix the README.

[phanect]

@mwt Oops, you also wrote the same patch. Then just close my PR :)

[mwt]

@mwt Oops, you also wrote the same patch. Then just close my PR :)

No, that's good! I just won't finish making mine.

[remlapmot]

Thanks so much for making this Linux build and adding this package feed - I really appreciate it.

I'm leaving this comment in case anyone else hits the very minor issue I did.

I found that (perhaps because I haven't added a package feed before) that the directory /etc/apt/keyrings was missing on my Ubuntu Focal in WSL. So when I first ran you commands they failed with the following message

$ wget -qO - https://apt.packages.shiftkey.dev/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/shiftkey-packages.gpg > /dev/null
[sudo] password for tom:
tee: /etc/apt/keyrings/shiftkey-packages.gpg: No such file or directory

This was simply solved by creating the directory with

sudo mkdir /etc/apt/keyrings

and then running your instructions.

[mwt]

I found that (perhaps because I haven't added a package feed before) that the directory /etc/apt/keyrings was missing on my Ubuntu Focal in WSL.

That's a good point. I think I had to create this directory the first time even in Jammy. Though, I might be misremembering. If you want to rectify:

sudo mkdir -p /etc/apt/keyrings && wget ...

(at some point, these may just become lines in an install script...)