gitea debian package repository with testing/trixie/13

Gitea is awesome for self-hosting git repos. One of the neat features it has is package repository hosting, including for debian (their docs on this in general). For debian stable/bookworm/12, this works seamlessly at least in my experience.

Things get a bit hairier once you start using testing (trixie/13 at present). The root problem is that the go pgp library used produces signatures that the new apt tooling in 13 does not like, specifically in regards to signature verification. See here for an example bug report / fix. “apt update” from a testing machine will fail with ugly mumbling along the lines of “OpenPGP signature verification failed, sub-process sqv returned an error code (god hates you, everything is ruined forever) , error message is demonic howling, signing key unknown, E_FUCKED, no binding signature on this shit, boss!”. (God help you if google search lands you here on those keywords.) Gitea 1.24 contains newer dependencies that should fix this. BUT! The debian package repository signing key material has to be regenerated. And that is where the fun starts, as there’s no way to do this via web ui or cli as far as I can tell.

This process seems to do the right things, but it is admittedly a big hassle:

  1. upgrade to 1.24.latest if not already done
  2. delete all package versions/files through web ui. there should be no debian repo listed in the packages page
  3. open up your database and delete the debian.private.key and debian.public.key rows for your user in the user_settings table (whether sqlite, postgres, whatever)
  4. (I also got paranoid here and went on a cleaning sweep for all things “debian” in the package* tables as there were remnants despite there being no visible listing for a debian package repo after the delete package step above. I have not verified if this step is required, but it doesn’t seem to hurt per se.)
  5. this part is important: restart the gitea service
  6. re-upload your package file(s). you should notice the upload take a hair longer, as it’s regenerating the repository.key et al.
  7. to verify, curl https://your-gitea-host:3000/api/packages/yourusername/debian/repository.key -o test, gpg –show-keys test. the dates shown should be the current day if everything worked.
  8. you’ll have to re-download the repository.key into /etc/apt/keyrings/gitea-yourusername.asc (or wherever you put it, and matching the signed-by bit in the list file establishing gitea as a repo debian can draw from
  9. apt update / upgrade should now work
You might be fooled, as I was, that the gitea command line “admin regenerate keys” command might do something useful to solve this, but alas it does not.

Another year, another update, take 2025

Well, the Tories were tossed out on their ears. That’s good. The reform scum are surging in their place. That’s bad. The US did, in fact, against all reason take that swerve into crazyland and 45 is now 47 and wouldn’t we all be happier if he was 86’d? What a country. There’s just too damn many people on this earth who are dumber than dogshit, mad about it, and willing to make it everyone’s problem. It’s a crying shame when somehow they stumble into power.

We’ve got a new berner pup, Ms. Athena. She’s sixty pounds of adorable in a ten pound sack, has the attitude of a hundred firecrackers, and for some reason also answers to Teapot. Your guess is as good as mine on that front.

Kirsti and the boys remain much the same. All of us older, none of us that much wiser. ;) I take that back, I have been encouraged by occasional sparks of reason and maturity from both boys, however fleeting in their completely adorable tween bodies. (Kirsti of course remains brilliant and breathtaking and wise and kind and funny and creative; I married so far out of my league you’d need a space telescope to see it.)

In closing I’d like to note that immigration is hard and expensive. We are *incredibly privileged* as immigrants go and it’s still quite an undertaking. My sympathy for those making a go of it in the US is all the stronger.

a new pc.o?!

After 15 years, I might be leaving linode. Linode has, by and large, been very good to me, and I will always be thankful for their service. Recently I got sort of a wild hair and decided to look around to see if I could get a better deal that the admittedly already de minimis amount I was paying per month. Well, long story short, I can. Hetzner is giving me twice the cpu and four times the ram for about the same price. For now, this site is still hosted on linode, but I’m in the process of moving things. The only “drawback” per se is the new server is hosted in the EU and not the US, which means some degree of added hassle if I need to vpn into a US address space to access something. It’s amazing what capabilities you can get for ~$5/mo these days, though.

UPDATE: Site moved (give or take, depending on dns propagation delay). If you experience unexpected weirdness, reach out!

Another year, another update, take 2024

The move to Scotland went about as well as could be hoped for. We’re unbelievably privileged to go through the process of emigration with one of us being a citizen already, and with (I try to say honestly and without undue attempt at bragging) a decently-sized cushion of money. It’s still a *massive* pain in the ass. Even everyday trivialities like driver licensing and paying taxes are an order of magnitude more complex than you’d expect or hope for.

It’s beautiful here, and I’m glad that we’re ~half way through the time needed to get the kids dual citizenship because it gives them an out if the US goes sour long term. I’m not sold on the UK. As an immigrant, every interaction with the british bureaucracy has had an air of “who the fuck are you?” and quite honestly I look around and reply “who the fuck are you to be asking?” I’m doing your English asses a *favor* by being here. This is no exaggeration; I pay more taxes than the average household gross income in this third rate excuse for a country that still thinks it has an empire and it’s dead obvious for anyone with a functioning brain that England thinks it’s king shit of this place over everyone else. The UK national covid stats reporting doesn’t even include Scotland! You have go looking through the Scot gov website for that. Scotland would be far better off as a smaller consitutional republic member of the EU instead of eating the table scraps England deigns to give it in the name of “union.” Some would call this arrogance, I call it “I have better options and I’m only here because my love thinks this is the best of them.”

Aside from everyone having covid right now and the UK being expensive and lame, things are actually going pretty well. The boys are, despite their best efforts, growing and learning, we’re happy most of the time, and things will evolve in due time. I really hope the election next week here ditches the idiot Tory brigade that have been infecting the UK since 2010 and that this November the US doesn’t make a hard u-turn into crazyland by reelecting that orange smear of human feces.

pc.o debian upgrade to 12/bookworm

I’m always a bit nervous kicking off remote server OS upgrades, but shoutout to the Debian team for making this another smooth one from 11/bullseye to 12/bookworm. The only quasi-glitch I encountered was that the apache php module wasn’t installed automatically during the upgrade, but that took all of 30 seconds to fix.

another year, another update

Well, it’s been an exciting year. One of my dearest friends passed away. I was diagnosed with diabetes not long after restarting prednisone post-transplant. Since last December, the cool startup job I got went away when we encountered funding difficulties in the second half of this year; I’ve taken a new job with a good team at a much larger and older enterprise (their cool startup days were in the mid-90s). We sold our awesome house and are in advanced stages of emigrating to the UK. Things are never quite what we’d planned or hoped for at the outset, but the journey continues and things are always better than we feared.

replacing the self-signed ssl cert on a TP-Link Omada OC200 Hardware Controller

Since TP-Link’s documentation is *awesome* for this (sarcasm alert), I thought I’d share what I finally figured out to get the self-signed cert replaced with one from a local CA that doesn’t make Chrome complain. This was the result of several hours of fiddling around, waiting for oc200 reboots, and getting uber-helpful error messages from the device (sarcasm meter explodes).

Pre-reqs:
1. passing familiarity with openssl command-line usage, including how to set up a local certificate authority (CA; out of scope for this post/rant but this looks decent as an intro: https://gist.github.com/Soarez/9688998)
2. the patience not to see how far you can shot-put the oc200 device
3. some machine with openssl installed (I used a linux machine running ubuntu 20.04 fwiw)

First, you’ll want to create a config file to save typing later and enable Subject Alternate Names for your cert (so the same cert’ll be valid from the controller raw ip, or name, or short name). Call it san.conf or similar. 

[req]
req_extensions = req_ext
distinguished_name = req_distinguished_name
prompt=no

[req_distinguished_name]
countryName                     = 
stateOrProvinceName             = 
localityName                    = 
organizationalUnitName          = 
commonName                      = 
emailAddress                    = 

[req_ext]
subjectAltName = @alt_names

[alt_names] 
IP.1=192.168.5.2
DNS.1=oc200.lan.example.com
DNS.2=oc200


Now, on to making the actual cert (filenames may of course be altered to your taste, just be consistent):

1. openssl req -new -keyout oc200.key -sha256 -config san.conf -out oc200.csr
a. note that you probably want a password here (used by key).
b. if you’re ok with a less secure key sans password, add a -nodes argument above

2. openssl x509 -req -days 365 -in oc200.csr -CA -CAkey -CAcreateserial -extensions req_ext -extfile san.conf -out oc200.crt
a. note that recent chrome builds are moving to deny validity of certs with longer than one year. (imho this is overkill for rfc1918 networks, but c’est la guerre.)

3. openssl pkcs12 -export -in oc200.crt -inkey oc200.key -out oc200.pfx -CApath /etc/ssl/certs/ -CAfile -caname root -name oc200 -chain
a. note that you probably want to use a password here as well
b. note also that the Omada web ui is picky about filename extensions. you’ll want to end your pkcs12-exported cert to end in “.pfx” to keep it happy on upload later

From here, with the pfx file and (optionally, but recommended) the key and pfx passwords, you can proceed to Settings > Controller > HTTP Certificate session, upload your pfx file, fill in any required passwords (be sure to pay attention to which password is which re: key vs cert file aka keystore), and save at the bottom of the screen. You will then want to go to Settings > Maintenance > Hardware Controller section and reboot (this will take several minutes to complete).

You may also need to do a full flush of your browser’s cache if there were earlier attempts with the same identity cert (e.g. accidentally making it valid for too long and learning a painful lesson). You will need to import the root CA cert into your browser/OS trusted roots collection as well if you haven’t already done so (out of scope for this, but googling something like “import root ca cert ” would help).

Hope this saves someone a few hours of irritation. :)

new job! :D

After five years at Oracle, I got thoroughly fed up with BigCo bullshit and have switched to an early-stage startup at a friend’s recommendation. This will be the fourth company I’ve worked with him at over the last ~20 years. It is *so nice* to get back into days that are filled with code instead of meetings, and with a tech stack I like to boot (java, linux, postgres, AWS) as well as some tasty new things to explore. (I typo’d that as explode at first and let’s be real, that’d work too for technology.)

pc.o update heh

pc.o is now on debian buster after being on stretch for a while. no underlying hardware changes this time around.